Solved

How to best prevent malware problems?

Posted on 2013-12-04
19
965 Views
Last Modified: 2014-05-08
Most of our customers have small networks with just a few PCs, while others are single-user.  Most all are running Win7 Pro.  We install Norton internet Security on each one and keep it current.  Many are in rural areas of the country, and most get their internet connectivity from local DSL providers, while a few are on cable or satellite.

The problem is that a few of our users have constant malware problems, where I have to run Malwarebytes and Spybot on a regular basis, often cleaning up dozens of infections each time.  Recently it got so bad at one location that I had to reformat two PCs just to get them running right again.

I have never understood why Norton seemingly lets so much get by for these customers.  I've tried others in the past, such as Trend Micro and McAfee, with the same results.

I'm wondering if there is a better solution.  I am 'aware' of hardware firewalls, but there are many things I don't know.  Do they do a far better job of preventing these infections?  Are they affordable for a small network or single-user computer?  Are they easy to maintain and keep updated--assuming that is needed?  Do they tend to block legitimate work that the user needs to do, or have other quirks?

Or maybe there is a completely different solution that I don't know about.  Any clear, detailed guidance based on experience would be greatly appreciated.  TIA
0
Comment
Question by:sasllc
  • 3
  • 3
  • 2
  • +8
19 Comments
 
LVL 15

Assisted Solution

by:jerseysam
jerseysam earned 50 total points
ID: 39696047
Sounds strange that you get so many issues.

I would suggest Kaspersky on all PC's.

Good passwords on machines and change them regularly.

A good firewall and/or router such as a SonciWall or maybe Draytek router&Firewall.

Make sure all PC's are regularly patched and speak to users about browsing habits, funny emails and general internet use.

Although i do get occassional virus issues with my clients, it is thankfully rare.
0
 
LVL 24

Assisted Solution

by:aadih
aadih earned 50 total points
ID: 39696048
The prerequisite for avoiding virri is: practicing safe browsing habits.

You may try a different security product. Try Avira.

Unfortunately, no security software will offer a 100% protection.

You may also try using a software firewall, such as online armor (free).
0
 
LVL 6

Accepted Solution

by:
Jon Snyderman earned 50 total points
ID: 39696066
Big complex question but here is my take on it....

First off, I used to use Norton until I ran in to the same issues.   Big footprint with less than great detection.   From a local per-PC standpoint, the first step would be to dump Norton and go with either Trend Worry Free (because of small environments) or AVG CloudCare.   Both of which you can also make some recurring revenue on. In addition, you could purchase MalwareBytes so that it runs like AV software in the background.  This would be for your more troublesome clients.   Its  pretty inexpensive and seems to run well along side the AV programs (which is very unusual).   I am not a fan of McAfee either.   I have heard horror stories from customers with McAfee, one recently involving the CryptoLock virus.    Definately use a cloud solution for small clients though.   It gives you a way to monitor the updates for them and will be less cumbersome on the user.   If bandwidth is a concern, use one of the PCs or servers as an on-premise distribution point.

On the firewall standpoint, they still use an outsource engine, so in and of themselves, they are not more effective.   HOWEVER, and thats a huge however, they provide defense at the border before the PC is even hit.   This is big.  They also provide a second engine.  Meaning that if you use Trend on the PC and a Wathguard firewall for example, it uses the AVG engine.   Now you have two sets of engines and signature files.    Thelow end Watchguards and Sonics are more money than your residential Linksys devices, but they are so worth it.    Yes, you need to maintain them more and yes, more will be blocked (as it should), but your protection level is ten-fold.   Make sure that you get the bundles that include AV and content filtering.

I hope that helps a bit.   Good luck with your clients.

~Jon
0
 
LVL 87

Assisted Solution

by:rindi
rindi earned 50 total points
ID: 39696076
In my opinion all symantec stuff practically IS malware. Their only good products are the ones that completely remove their stuff.

So that's always what I do, remove any symantec software from a PC.

After that I install Panda Cloud Antivirus, with which I've never had any issues yet. For those PC's that aren't in a business environment you can use the free version.

The Windows built-in firewall is good enough, but always make sure the PC's are fully patched with windows updates etc.

Also teach your users that no product will ever be able to keep of malware 100%. So make them use the internet sanely. Get them to use a safer browser than IE, like firefox. install Adblock plus and flashblock addons within firefox (or chrome). Tell them not to visit web-pages that one wouldn't trust, and they should not click on every popup, button or link. Also tell them only to open mails they know the sender of, and also there not to just open every attachment. The web behavior is really almost more important than antivirus, antimalware and similar tools.
0
 
LVL 32

Assisted Solution

by:willcomp
willcomp earned 50 total points
ID: 39696166
Tell the problem users to stay off adult web sites and pirate sites. Most of the nasty stuff I see comes from those sites (e.g. FBI Warning). No anti-virus or even registered MBAM will prevent all infections.
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 50 total points
ID: 39696221
Inform yourself about so-called software restriction policies. Those can prevent unknown programs from running without having to detect them.
0
 
LVL 19

Assisted Solution

by:Rob Hutchinson
Rob Hutchinson earned 50 total points
ID: 39696386
Since hearing about the encryption viruses, I freeze my PC at home, and only un-freeze it when I need to make changes.

If you have more than one drive, you can leave that drive unfrozen, then save your files there.

As an example, a drive can be setup using two partitions with the C drive taking up the largest portion of the physical drive and the D drive taking up a portion of the drive just big enough to store temporary docs etc.

Installing DeepFreeze is a no brainer. Arguements against using this program, are that you have to unfreeze the computer everytime you make a change to the software or check your email; although I don't make that many changes and it really isn't a hassle with email as I store the Outlook pst file on the un-frozen drive.

Faronic's DeepFreeze
0
 
LVL 14

Assisted Solution

by:Giovanni Heward
Giovanni Heward earned 50 total points
ID: 39696692
The problem with the majority of the solutions mention, is that they are signature/heuristic based solutions.  That is to say they only detect "known" signatures.  By design, these solutions will always be playing catch-up.  It's basically a "scan and pray" methodology, described as a "cat and mouse" game.  Unfortunately there is plenty of "social proof" justifying their use, as few know any better.  "Let's do what everyone else we know is doing, and have been doing for x years."  

The problem with this is any well known malware specimen can be encoded, encrypted, packed, refactored,  or recompiled.  This creates a "new" signature and thus becomes "undetectable" by signature-based solutions (until that particular specimen is found and submitted to the antimalware vendors.)

What you need to know is that anti-virus and other signature-based controls can’t keep up with the pace of the bad guys…

200,000+ new malware variants are released into the wild on a daily basis
30,000+ new malicious websites are created on a daily basis
30,000+ legitimate websites are hijacked on a daily basis

It's time for a paradigm shift.

****

You'll want to look at Invincea FreeSpace™.  Use this in conjunction with EMET (free) and OpenDNS (free).

Secure virtual container – between the host operating system and highly targeted applications
See FireEye for gateway products featuring similar methodology.  The Spikes Air Gapped Browser Model is another interesting approach.

The poor man's version of Invincea is to install VirtualBox (free), and create a virtual "dedicated Internet" OS.  The OS could be free as well, if Ubuntu or similar is used.  This dedicated virtual machine is to be used when interacting with the Internet and Internet based downloads.  When infection/exploitation occurs, simply revert the vm back to a clean snapshot and move on.  

Windows 7 running a Ubuntu 10.10 VM as a "dedicated Internet" OS
This is effectively a DMZ for the endpoint.  With the advent of so many 0-day vulnerabilities, you'd think it would be obvious by now (to the industry) that any application which interacts with the Internet and Internet based downloads should be considered untrusted.

On the primary OS, consider removing the default gateway and modifying browser/email client links to reference VirtualBox.

***

I'd be interested in learning how accessible DeepFreeze components are to malware (or processes running as SYSTEM for example-- having full access to all partitions, etc.)  

While whitelisting (Software Restriction Policies (SRP), AppLocker Policies, etc.) has its place, it's generally a given that a browser is permitted.  This means the browser itself is vulnerable to being exploited by malware designed to occupy the same memory space.  
EMET is designed to mitigate many of the approaches used to do so (ASLR, SEHOP, DEP, etc.)
0
 
LVL 26

Assisted Solution

by:Thomas Zucker-Scharff
Thomas Zucker-Scharff earned 50 total points
ID: 39696975
I agree with many of the suggestions above.  Good browsing habits is a start and a virtual environment for browsing is also good.  Use something like Comodo Endpoint along with WinPatrol Plus for maximum protection.  MalwareBytes Pro is also an excellent solution (I run it at home).

Comodo (10 free licenses for a year) - http://www.comodo.com/business-enterprise/cesm3/index_v2.php
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 32

Expert Comment

by:willcomp
ID: 39696976
All of these exotic solutions are well and good for us experts/geeks. They won't cut it for the average home/mom and pop business users.
0
 
LVL 6

Expert Comment

by:Jon Snyderman
ID: 39696992
Amen!   Run a reputable AV and a reputable anti-malware and ideally have a nice hardware firewall and 98% of threats will be averted with very little user training (maybe some scolding though :-) )    As the IT professionals, it is our job to protect the non-savvy user without confusing the crap out of them.

~Jon
0
 
LVL 14

Expert Comment

by:Giovanni Heward
ID: 39697086
In practice, Invincea is about as "exotic" as a web browser.

One of the least technically sophisticated employees in my company of 25,000 would infect her machine nearly every other week.  After installing Invincea (under Dell Data Protection | Protected Workspace), she hasn't had any infections which weren't detected and automatically reverted.  This required no addition skill or interaction on her part.

Perhaps there is a reason Dell is deploying this product globally as part of their new base image for certain systems.  Then again, if you look for a reason to make another person wrong (in your own mind), you'll find it.
0
 
LVL 24

Expert Comment

by:aadih
ID: 39697095
x66_x72_x65_x65, Thank you for the information.  It's new(s) to me.  Helpful information is always welcome.  Cheers.  :-)
0
 
LVL 32

Expert Comment

by:willcomp
ID: 39697100
In your company of 25,000!
0
 
LVL 6

Expert Comment

by:Jon Snyderman
ID: 39697394
I know you were the last to post before it went south, but I don't think the comment was directed at you as much as the diversity and complexity of the thread in general.   My topologies if it was improperly stated.  

Jon
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 50 total points
ID: 39700038
Why has NO ONE mentioned running as NON-ADMIN? That's 99.9% of the problem btw. Remove the admin rights of the users, but that is not to say that you take them 100% away. It is still possible for you to let them run and install programs when they need to, but they have to justify it to you first.

AV is a band-aid on a cancer, you need to make the users think twice before installing some tool-bar that does nothing except mine bit-coin in the background for the people they are installing it from.

Keep it simple, install a good AV product (they are all about the same, where they differ is on clean-up/removal) McAfee/Symantec/Avira/Kaspersky/MSE they all work fine if they are installed right and that doesn't mean default install settings for some.

Have patches automatically scheduled to be installed. Install M$'s EMET for a nice added cushion until a patch can be had for some 0-day's.

Have them use FF or Chrome instead of IE whenever possible, Active-X is still a very popular and effective attack vector.

Above all else, remove them from the local administrators group. open a question here on EE and ask for a vbscript that can be set as a scheduled task and can reset/change a user in the administrator group (not the admin acct itself). The users can when absolutely needed, use that account with run-as and the daily changing password for that account. You could have it change hourly, and it can change in a predictable way, have it based on the date or the time. We do this with our remote clients, but we have a python script that does it, the principal is the same.
-rich
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39700417
:) Allow the comment:
"Why has NO ONE mentioned running as NON-ADMIN? That's 99.9% of the problem btw"
Now that's a very strong assumption. Since malware authors have to fight with UAC since 7 years, they don't still write 99.9% of viruses to only work when admin & UAC is off, come on.
Many run in the user space, hard to say if that's the majority... but still, you are right, always one of the most important things.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39700867
99.9% is a little overstated for win7 :) But it does cut down on the users ability to infect themselves as well, making them ask permission for something often helps to curb or gi ve them pause. users are users, and they don't know what they are doing 99.9% of the time :)
-rich (aka mr. 99.9)
0
 

Expert Comment

by:waynehedrick
ID: 40050090
1.  Symantec says that Antivirus is a dead end solution.  It is especially true for their product.  We have left it.

http://www.theregister.co.uk/2014/05/06/symantec_antivirus_is_dead_and_not_a_moneymaker/

2.  Get something on the network, like others, I recommend anything but Symatnec.

3.  Use a UTM firewall.  I recommend Sonicwall, with their Comprehensive Security Services.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

PREFACE The purpose of this guide is to explain what the SEPC Status Utility is and how it works. I have written the utility using AutoIt and have included the source code for your review. You are welcome to modify the code to your liking, but I wi…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now