How to best prevent malware problems?

Most of our customers have small networks with just a few PCs, while others are single-user.  Most all are running Win7 Pro.  We install Norton internet Security on each one and keep it current.  Many are in rural areas of the country, and most get their internet connectivity from local DSL providers, while a few are on cable or satellite.

The problem is that a few of our users have constant malware problems, where I have to run Malwarebytes and Spybot on a regular basis, often cleaning up dozens of infections each time.  Recently it got so bad at one location that I had to reformat two PCs just to get them running right again.

I have never understood why Norton seemingly lets so much get by for these customers.  I've tried others in the past, such as Trend Micro and McAfee, with the same results.

I'm wondering if there is a better solution.  I am 'aware' of hardware firewalls, but there are many things I don't know.  Do they do a far better job of preventing these infections?  Are they affordable for a small network or single-user computer?  Are they easy to maintain and keep updated--assuming that is needed?  Do they tend to block legitimate work that the user needs to do, or have other quirks?

Or maybe there is a completely different solution that I don't know about.  Any clear, detailed guidance based on experience would be greatly appreciated.  TIA
Who is Participating?
Jon SnydermanCommented:
Big complex question but here is my take on it....

First off, I used to use Norton until I ran in to the same issues.   Big footprint with less than great detection.   From a local per-PC standpoint, the first step would be to dump Norton and go with either Trend Worry Free (because of small environments) or AVG CloudCare.   Both of which you can also make some recurring revenue on. In addition, you could purchase MalwareBytes so that it runs like AV software in the background.  This would be for your more troublesome clients.   Its  pretty inexpensive and seems to run well along side the AV programs (which is very unusual).   I am not a fan of McAfee either.   I have heard horror stories from customers with McAfee, one recently involving the CryptoLock virus.    Definately use a cloud solution for small clients though.   It gives you a way to monitor the updates for them and will be less cumbersome on the user.   If bandwidth is a concern, use one of the PCs or servers as an on-premise distribution point.

On the firewall standpoint, they still use an outsource engine, so in and of themselves, they are not more effective.   HOWEVER, and thats a huge however, they provide defense at the border before the PC is even hit.   This is big.  They also provide a second engine.  Meaning that if you use Trend on the PC and a Wathguard firewall for example, it uses the AVG engine.   Now you have two sets of engines and signature files.    Thelow end Watchguards and Sonics are more money than your residential Linksys devices, but they are so worth it.    Yes, you need to maintain them more and yes, more will be blocked (as it should), but your protection level is ten-fold.   Make sure that you get the bundles that include AV and content filtering.

I hope that helps a bit.   Good luck with your clients.

Sounds strange that you get so many issues.

I would suggest Kaspersky on all PC's.

Good passwords on machines and change them regularly.

A good firewall and/or router such as a SonciWall or maybe Draytek router&Firewall.

Make sure all PC's are regularly patched and speak to users about browsing habits, funny emails and general internet use.

Although i do get occassional virus issues with my clients, it is thankfully rare.
The prerequisite for avoiding virri is: practicing safe browsing habits.

You may try a different security product. Try Avira.

Unfortunately, no security software will offer a 100% protection.

You may also try using a software firewall, such as online armor (free).
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

In my opinion all symantec stuff practically IS malware. Their only good products are the ones that completely remove their stuff.

So that's always what I do, remove any symantec software from a PC.

After that I install Panda Cloud Antivirus, with which I've never had any issues yet. For those PC's that aren't in a business environment you can use the free version.

The Windows built-in firewall is good enough, but always make sure the PC's are fully patched with windows updates etc.

Also teach your users that no product will ever be able to keep of malware 100%. So make them use the internet sanely. Get them to use a safer browser than IE, like firefox. install Adblock plus and flashblock addons within firefox (or chrome). Tell them not to visit web-pages that one wouldn't trust, and they should not click on every popup, button or link. Also tell them only to open mails they know the sender of, and also there not to just open every attachment. The web behavior is really almost more important than antivirus, antimalware and similar tools.
Tell the problem users to stay off adult web sites and pirate sites. Most of the nasty stuff I see comes from those sites (e.g. FBI Warning). No anti-virus or even registered MBAM will prevent all infections.
Inform yourself about so-called software restriction policies. Those can prevent unknown programs from running without having to detect them.
Rob HutchinsonDesktop SupportCommented:
Since hearing about the encryption viruses, I freeze my PC at home, and only un-freeze it when I need to make changes.

If you have more than one drive, you can leave that drive unfrozen, then save your files there.

As an example, a drive can be setup using two partitions with the C drive taking up the largest portion of the physical drive and the D drive taking up a portion of the drive just big enough to store temporary docs etc.

Installing DeepFreeze is a no brainer. Arguements against using this program, are that you have to unfreeze the computer everytime you make a change to the software or check your email; although I don't make that many changes and it really isn't a hassle with email as I store the Outlook pst file on the un-frozen drive.

Faronic's DeepFreeze
Giovanni HewardCommented:
The problem with the majority of the solutions mention, is that they are signature/heuristic based solutions.  That is to say they only detect "known" signatures.  By design, these solutions will always be playing catch-up.  It's basically a "scan and pray" methodology, described as a "cat and mouse" game.  Unfortunately there is plenty of "social proof" justifying their use, as few know any better.  "Let's do what everyone else we know is doing, and have been doing for x years."  

The problem with this is any well known malware specimen can be encoded, encrypted, packed, refactored,  or recompiled.  This creates a "new" signature and thus becomes "undetectable" by signature-based solutions (until that particular specimen is found and submitted to the antimalware vendors.)

What you need to know is that anti-virus and other signature-based controls can’t keep up with the pace of the bad guys…

200,000+ new malware variants are released into the wild on a daily basis
30,000+ new malicious websites are created on a daily basis
30,000+ legitimate websites are hijacked on a daily basis

It's time for a paradigm shift.


You'll want to look at Invincea FreeSpace™.  Use this in conjunction with EMET (free) and OpenDNS (free).

Secure virtual container – between the host operating system and highly targeted applications
See FireEye for gateway products featuring similar methodology.  The Spikes Air Gapped Browser Model is another interesting approach.

The poor man's version of Invincea is to install VirtualBox (free), and create a virtual "dedicated Internet" OS.  The OS could be free as well, if Ubuntu or similar is used.  This dedicated virtual machine is to be used when interacting with the Internet and Internet based downloads.  When infection/exploitation occurs, simply revert the vm back to a clean snapshot and move on.  

Windows 7 running a Ubuntu 10.10 VM as a "dedicated Internet" OS
This is effectively a DMZ for the endpoint.  With the advent of so many 0-day vulnerabilities, you'd think it would be obvious by now (to the industry) that any application which interacts with the Internet and Internet based downloads should be considered untrusted.

On the primary OS, consider removing the default gateway and modifying browser/email client links to reference VirtualBox.


I'd be interested in learning how accessible DeepFreeze components are to malware (or processes running as SYSTEM for example-- having full access to all partitions, etc.)  

While whitelisting (Software Restriction Policies (SRP), AppLocker Policies, etc.) has its place, it's generally a given that a browser is permitted.  This means the browser itself is vulnerable to being exploited by malware designed to occupy the same memory space.  
EMET is designed to mitigate many of the approaches used to do so (ASLR, SEHOP, DEP, etc.)
Thomas Zucker-ScharffSolution GuideCommented:
I agree with many of the suggestions above.  Good browsing habits is a start and a virtual environment for browsing is also good.  Use something like Comodo Endpoint along with WinPatrol Plus for maximum protection.  MalwareBytes Pro is also an excellent solution (I run it at home).

Comodo (10 free licenses for a year) -
All of these exotic solutions are well and good for us experts/geeks. They won't cut it for the average home/mom and pop business users.
Jon SnydermanCommented:
Amen!   Run a reputable AV and a reputable anti-malware and ideally have a nice hardware firewall and 98% of threats will be averted with very little user training (maybe some scolding though :-) )    As the IT professionals, it is our job to protect the non-savvy user without confusing the crap out of them.

Giovanni HewardCommented:
In practice, Invincea is about as "exotic" as a web browser.

One of the least technically sophisticated employees in my company of 25,000 would infect her machine nearly every other week.  After installing Invincea (under Dell Data Protection | Protected Workspace), she hasn't had any infections which weren't detected and automatically reverted.  This required no addition skill or interaction on her part.

Perhaps there is a reason Dell is deploying this product globally as part of their new base image for certain systems.  Then again, if you look for a reason to make another person wrong (in your own mind), you'll find it.
x66_x72_x65_x65, Thank you for the information.  It's new(s) to me.  Helpful information is always welcome.  Cheers.  :-)
In your company of 25,000!
Jon SnydermanCommented:
I know you were the last to post before it went south, but I don't think the comment was directed at you as much as the diversity and complexity of the thread in general.   My topologies if it was improperly stated.  

Rich RumbleSecurity SamuraiCommented:
Why has NO ONE mentioned running as NON-ADMIN? That's 99.9% of the problem btw. Remove the admin rights of the users, but that is not to say that you take them 100% away. It is still possible for you to let them run and install programs when they need to, but they have to justify it to you first.

AV is a band-aid on a cancer, you need to make the users think twice before installing some tool-bar that does nothing except mine bit-coin in the background for the people they are installing it from.

Keep it simple, install a good AV product (they are all about the same, where they differ is on clean-up/removal) McAfee/Symantec/Avira/Kaspersky/MSE they all work fine if they are installed right and that doesn't mean default install settings for some.

Have patches automatically scheduled to be installed. Install M$'s EMET for a nice added cushion until a patch can be had for some 0-day's.

Have them use FF or Chrome instead of IE whenever possible, Active-X is still a very popular and effective attack vector.

Above all else, remove them from the local administrators group. open a question here on EE and ask for a vbscript that can be set as a scheduled task and can reset/change a user in the administrator group (not the admin acct itself). The users can when absolutely needed, use that account with run-as and the daily changing password for that account. You could have it change hourly, and it can change in a predictable way, have it based on the date or the time. We do this with our remote clients, but we have a python script that does it, the principal is the same.
:) Allow the comment:
"Why has NO ONE mentioned running as NON-ADMIN? That's 99.9% of the problem btw"
Now that's a very strong assumption. Since malware authors have to fight with UAC since 7 years, they don't still write 99.9% of viruses to only work when admin & UAC is off, come on.
Many run in the user space, hard to say if that's the majority... but still, you are right, always one of the most important things.
Rich RumbleSecurity SamuraiCommented:
99.9% is a little overstated for win7 :) But it does cut down on the users ability to infect themselves as well, making them ask permission for something often helps to curb or gi ve them pause. users are users, and they don't know what they are doing 99.9% of the time :)
-rich (aka mr. 99.9)
1.  Symantec says that Antivirus is a dead end solution.  It is especially true for their product.  We have left it.

2.  Get something on the network, like others, I recommend anything but Symatnec.

3.  Use a UTM firewall.  I recommend Sonicwall, with their Comprehensive Security Services.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.