Group of users who travels to China (& base there for months) often get infected w malwares

sunhux
sunhux used Ask the Experts™
on
We have quite a handful (about 3 dozen) staff who bring our corporate laptops to
our China branch & they're based there for months.  We enable local admin for
them (as sometimes when they're there, they need to install certain softwares as
 there's no PC/end-user support there) & we enable their laptops to connect to
hotel/public places' Wifi.

They'll often VPN back to the local head-office here to join our domain for Intranet
services and this is when their PCs are found to have malwares or when they are
back here locally, their PCs were found to have numerous malwares: we never
know what happen that why their PCs' AV signatures are not updated while they're
in China.

I'm proposing an apps whitelisting (that some of our critical PCs are mandated to
have) installed as AV is a 'blacklisting' solution while apps whitelistg is more effective
but my colleague supporting apps whitelisting has concern below:

"Not really suitable. Gotta be connected to vpn at least 2 hrs for baseline to complete, n if sth really breaks and they cant initiate vpn back, the whole laptop is as good as totally disconnected from network already. High risk thing to do. Wont be able to remotely change app whitelist settings unless they manage to connect back to vpn network. Main worry is if user hit prob doing vpn. "


Q1:
Is the limitation/concern above valid & isn't there a way to overcome it?

Q2:
What other mitigations can we do for this group of users assuming we can't
take away their local admin & still allow them to connect to public/hotel Wifi?

We plan to 'quarantine' their PCs with NAC such that if their AV signatures
& patches are outdated, it has to be brought to Enduser support for update
& scanning first when they're back but if they connects back via VPN (which
we can't block if it's outdated as it'll prevent them from accessing Intranet
for months), this VPN back is still a gap
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
their antiviruses should be able to pull updates from china if you configure a local proxy on your side that would be accessible through the VPN and configure the antiviruses to use it.

the rest is a matter of perspective, but i believe you need a better tradeoff than giving them admin access. maybe windows boxes are not your best bet either.

also note that a great part of the software they will download while in china will be packed with malware so even powered users that know not to work as admin on a regular basis may be tricked.

some background may help getting better ideas.

Author

Commented:
It's quite a major hindrance with no IT/PC support in China for these users.
In fact with up-to-date AV, it's still a concern: from Virustotal, we can see
different vendors have different detections or the dates they got updated
vary a lot.

So you reckon my colleague's assessment that apps whitelisting is not
feasible is a valid concern?
it is "feasible" but i would most definitely not recommend it in this circumstance :
- it does not protect against worms, viruses that use rundll and the likes to run their own code, explorer hooks...
- it is a major pain to maintain : at some point, either your users will not be able to handle the job, or will find a way to disable it entirely

an uptodate AV is by no means a bulletproof protection.
- the windows OS is by design packed with many flaws that allow to skip detection in many cases
- antiviruses work reactively rather than proactively
- the number of known viruses is so huge that major vendors cleanup old definitions which are easily available nowadays

i'm unsure what your users need to be able to use. it might be feasible to let them work from a livecd or possibly an usb key packed with a read-only os ( such as slitaz ) and personal files. when they come back, simply copy the files to a dedicated old computer with hardly any network connectivity ( it WILL very likely be compromised. it must not be part of your domain, have access to email or file shares ), send the files somewhere as an archive, scan the files and throw the usb key away.

in any case, a non-windows os is a better bet than the best antivirus in the world.

note that most of the hardware will possibly be compromised unless you destroy the usb ports and no amount of format and reinstall will change that.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial