Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Windows 7 - Best Practices to stay virus free

Posted on 2011-05-02
Medium Priority
Last Modified: 2013-11-22
I've got a couple hundred W7 PC's that I need to take care. I think we do a pretty good job at keeping the machines updated and use up to date security suites, but we continue to have a few computers every week that get infected.

We've spent a lot of time and energy trying all the different AV suites. And have come to the conclusion that basically some suck and some suck less. None will keep the computer virus free and many will mess the computer up pretty good.

We've also tried running different (non-IE) browsers and have the same conclusion. Just as many viruses come in on Chrome or Firefox as IE.

We’ll be adding gateway AV soon and email is well cleansed so that helps.

So I'm looking for advice on what can be done to try and keep these computers clean while keeping them usable?

Question by:willp2
LVL 30

Assisted Solution

by:Sudeep Sharma
Sudeep Sharma earned 1000 total points
ID: 35508305
First thing that I would do is not to give Administrator or equivalent rights to the users. That would cut the virus infection to almost 95%.

Even after this if the systems are getting infected then we might need to look at what kind of infection it is and need to explore the other possibilities of getting infection (the sources).

I would like to see what other experts have to say on this

LVL 97

Accepted Solution

Lee W, MVP earned 1000 total points
ID: 35508327
Yep, I've been saying that for some time now... they all suck.

The one that sucks least (to me) is Sunbelt VIPRE Enterprise.  

Other best practices include:
*Don't turn off UAC
*EDUCATE your users - this can be difficult... but I've heard of companies providing training, incentives, even prizes for users that learn how to NOT get infected.
*Don't run programs as an administrator (or allow your users to run as an administrator).
*Use (Windows/a) firewall and don't allow things in or out unless you KNOW they need to be allowed... for example, if you use Exchange, Exchange is your mail server, it needs port 25 open to the world, in and out.  All other systems send mail through Exchange, so all other systems should have port 25 blocked OUT as well as in.
*Use multiple levels of defense - install that AV Gateway and make sure it has a DIFFERENT scanning engine than the AV product you use on the computers.
LVL 97

Expert Comment

by:Lee W, MVP
ID: 35508379
By the way - that's in no particular order.
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 30

Expert Comment

by:Thomas Zucker-Scharff
ID: 35508386
I wouldn't go as far as some others in saying they all "suck".  I have found the ESET product line (I am not affiliated with ESET in any way) to be very good.  That said, I find that user education gives the biggest % increase in malware decline.  With a combination of perimetewr firewall and ESET's NOD32 AV solution on the desktops we've had one department keep ALL their computers malware free for the past 10 years (granted the sysadmin is excellent as well).
LVL 97

Expert Comment

by:Lee W, MVP
ID: 35508431
And I've found ESET to let Antivirus viruses through that sunbelt caught - and to be too aggressive, misidentifying other security related software as a virus.  And while I personally have not seen a virus VIPRE Enterprise couldn't handle, my clients aren't routinely infected... I'm sure they are out there... absolutely positive... when I get a call that VIPRE didn't catch something, so-be-it... but it's least sucky in my opinion because I've been using it at about a dozen clients with 150 machines or so for the last 18 months and haven't had any verified complaints that a virus got through.

Expert Comment

ID: 35508678
All Av software has different ways of detecting and detect different infections. I have had a look at Microsoft forefront as it uses multiple Av engines http://www.microsoft.com/forefront/en/us/default.aspx, leew makes a lot of valid points as the majority of infections are avoidable and are down to end users lack of knowledge when it comes to pop ups, etc. I would remove all admin privaleges from the end users, ensure that UAC is set to recommended level, internet explorer pop up blocker and other default settings are in place for ie. Block port 25 outbound from all except the exchange server as this will stop any potential blacklisting. I would also look at an antimalware product such as malwarebytes, they do a corporate version which is I think is reasonably priced and can offer some realtime protection. I hope the information helps, we use Symantec endpoint protection, which can centrally manage all machines and has antimalware built in as well as proactive protection. We have found it to have a good detection rate as well
LVL 38

Expert Comment

ID: 35508746
I wrote this EE Article quite a while ago and it still applies. Much of the advice is already mentioned in the excellent comments above:
http://www.experts-exchange.com/A_1958.html (MALWARE - "An Ounce of Prevention...")

One small thing that I always configure is:
Cookies - "First Party" set to 'Prompt' and "Third Party" set to 'Block'.
I don't know of any legitimate website or application that needs Third Party cookies.


Author Comment

ID: 35508922
Great response, thanks much.

I'm sure the biggest single problem is many of the users have admin rights to the machines. I'll need to work something to get them the rights they need without giving them admin rights to the machine.

We have been using Symantec AV Corporate, centrally managed for years. Its great as far as management goes, but we've just had bad luck with it in other ways. So we are interested in looking elsewhere.

I wasn't aware that Forefront had multiple engines. I thought it was just a paid for version of security Essentials. I'll have to look into that.

For me personally ESET is in the "Sucks more" category. It did a fine job at AV, but it completely ruined several machines to the point that they needed a Windows reinstall. The same things that make if very powerful at protecting the machines also means that it has fingerprints everywhere. If something goes wrong it can just destroy things. That's just my recent personal experience, I'm sure its great for others, but I'll not be going down that road again anytime soon.

If anyone has any comments on the best way to setup limited rights while giving rights to the system when needed and for many users that would be helpful. I know technically how to do it, just looking for ideas on a system that’s manageable.

Thanks again!
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 35509248
that is what runas or right click run 'as administrator' is for.. and it should be used very sparingly no program should have to run with admin rights.
The easiest way to remain virus/malware free is reduced rights and user education. nothing will protect from a user that is determined enough

Author Comment

ID: 35509281
Thanks. I do understand how it works. Just with a lot of users it can be hard to manage having to train everyone to have to enter in passwords everytime they need to do anything. Still, we have to do what we have to do.
LVL 97

Expert Comment

by:Lee W, MVP
ID: 35509339
I don't consider myself a programmer - but I could write a configuration dialogue just as impressive as Symantec does.  I often think that's their interview and test for their programmers - "can you write an impressive looking configuration page with cool ideas that we can claim we have and never make them all work at the same time?"  If the answer is yes, I think they hire you.

Put simply, Symantec, IN MY OPINION, is not a company that provides virus protection - they provide feature ideas that other people see and ACTUALLY MAKE WORK in their competing products.  I HATE symantec.  Every major outbreak I've had to squash has been "protected" by Symantec products.  They turn working products to SH!T.

If you're users NEED admin rights, then you have to find out why?  Is there a program that doesn't run unless they are an admin?  If so, then look at replacing or upgrading the program... or create a shortcut to it and embed the admin credentials in the shortcut so that only the program runs as an admin (replacing/upgrading is better - and if you do a good cost analysis, replacing it MIGHT be CHEAPER than continuing to repair virus infections).  Also, if the users need admin accounts - give them admin accounts.  What one company I worked at did was give everyone who needed admin rights a local admin account.  Their domain account though was JUST a user with no special privilege.  When Win7 wants them to run something as an admin, they get prompted (assuming UAC isn't disabled).  So education combined with the local admin account helps ensure they ONLY run as an admin when they NEED to.  (Education - they should learn to ask - why would this program that I've never been told I need to use need me to be an admin to run... and if they aren't savvy, call the helpdesk).
LVL 50

Expert Comment

ID: 35509404
As is obvious, you should have a good proactive antivirus program installed. (Proactive means one that is on all the time and does not wait for a scan.)  And use the Security settings in Internet Explorer.  But also install SpywareBlaster and use a HOSTS file.
All must be kept up to date.

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick guide on how to use Group Policy to create a custom power plan and set it active on Windows 7.
On some Windows 7 (SP1) computers, Windows Update becomes super slow even the computer is reasonably fast.  There's one solution that seemed to have worked well for me (after trying a few other suggested solutions).
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question