Making a PC bulletproof from viruses and Trojans etc..

[Miscthree]

My parents are expecting me to get them a new computer soon, as their machine is old and currently riddled with viruses and malware.

I plan to give them a dual boot macmini with windows 7. I want to use eset antivirus or maybe bitdefender but I somehow don't think this will be powerful enough to prevent malware finding it's way onto the machine.

I'm pretty sure that the malware gets there when my parents encounter dialog boxes and/or adverts that ask if 'you want to clean your PC from viruses?', and click 'yes'.

I am considering using parental control(I suspect my dad is hitting the pRon sites lol). Or I may just put it out on the open and suggest some spam/malware free sites?

I'm a little undecided on how best to proceed..any help would be appreciated.

 

[corkyg]

You can only do what you can control. I would say your parents are trainable. I have been teaching seniors now for nearly 15 years, and very few are not responsive. I would install a good AV and anti-malware setup and also, consider a program like DeepFreeze. You can have the only access to its password. It restores the PC to a baseline setting on every reboot. We use that in our teaching labs - that way whatever the students do is swept away on reboot.

http://www.faronics.com/en/Products/DeepFreeze/DeepFreezeEducation.aspx

 

[abaez]

I have my parents on a guest account on Win7, with MSE installed, Chrome sandboxed, and all programs that they would need installed along with admuncher which gets rid of any weird popups or things that they would click. They haven't gotten a virus or malware in over a year.

 

[C1]

Ya, Id agree. I use Centurion's Driveshield (sold now for home users as Smart Restart) for three years and have not had any issues. There are a lot of advantages over normal/conventional AV approaches. These include one time purchase (as opposed to constant contract renewals), no need for updating/constant updates for new signatures, insignificant CPU resource utilization versus conventional AV approaches and finally pretty much absolute assurity of protection. It also has the added advantage of allowing trial assessment of changes, settings and even new software before commitment. The big disadvantage is that the shield must be disabled via reboot to be able to effect changes.

Something to consider.

Addendum:
Upon review of "Deep Freeze", it appears to be pretty much the same as the old "Driveshield". Centurion's home version "Smart Restart" has built in Faronics' Igloo features which Faronics sells separately as a package/application. (I actually have a version of Smart Restart that allows selection of which areas to retain such as favorites, desktop, my documents, etc., but this feature/capability as selectable must have been removed from later versions for cost effectiveness. Ive seen "Smart Restart" pricing at $29.

 

[Miscthree]

Thanks guys I'll look into those options..my initial concern when deepfreeze was mentioned was that I wanted to make sure that the bookmarks and documents would be free to be added to and modified, instead of wiped clean after reboot.

I also would like them to use the sleep function instead of boot/shutdown so they won't feel like they have to 'restart' their session. They complained earlier that they wanted to see their docs and websites up as they returned to the machine...I guess I can make a sleep shortcut on the desktop for that. Thanks guys!

 

[pyonir]

My parents used to have the same thing...i'd have to reformat their computer once a year or so and it was always full of malware.

They are still using XP home, but also still using IE. I forced them to learn Firefox and installed Noscript, Flashblock and AdBlock Plus. Taught them how to use those add-ons as well. I had to answer quite a few questions at first, but they were pretty easy ones. It's been 3 years now and they haven't had a virus or instance of malware since.

IMO, you can put all the programs you want on a computer, but until you try and work with them on changing their browsing habits and what they click on, things probably won't change.

 

[corkyg]

"Thanks guys I'll look into those options..my initial concern when deepfreeze was mentioned was that I wanted to make sure that the bookmarks and documents would be free to be added to and modified, instead of wiped clean after reboot."

We do that by leaving a partition unfrozen - such things can be stored there. Lots of good tips here.

 

[Nothinman]

My parents are expecting me to get them a new computer soon, as their machine is old and currently riddled with viruses and malware.

I plan to give them a dual boot macmini with windows 7. I want to use eset antivirus or maybe bitdefender but I somehow don't think this will be powerful enough to prevent malware finding it's way onto the machine.

I'm pretty sure that the malware gets there when my parents encounter dialog boxes and/or adverts that ask if 'you want to clean your PC from viruses?', and click 'yes'.

I am considering using parental control(I suspect my dad is hitting the pRon sites lol). Or I may just put it out on the open and suggest some spam/malware free sites?

I'm a little undecided on how best to proceed..any help would be appreciated.

The only way to make it truly bullet proof is to turn it off. Even OS X just had a nice hit from Malware called MacDefender and variants so if your parents are going to click yes to everything they see they're not safe regardless of what you do. Even if you use something that reverts the PC on reboot they can still enter their CC# into a malicious program/website and get defrauded, it just won't be persistent.

 

[Miscthree]

Thanks. Yes sometimes the desktop is rendered totally unusable, which is why I bought them an old thinkpad laptop as a backup, but that machine gets hammered too. So much for backup plans.

What about the google chrome notebook? They mostly do web related stuff anyway...would those be les susceptible to malware?

 

[Nothinman]

Thanks. Yes sometimes the desktop is rendered totally unusable, which is why I bought them an old thinkpad laptop as a backup, but that machine gets hammered too. So much for backup plans.

What about the google chrome notebook? They mostly do web related stuff anyway...would those be les susceptible to malware?

They run Linux and have little/no access to the local OS so yes they should be safer from malware, but not from social engineering.

 

[Modelworks]

Use sandboxie and lock it down so they cannot execute anything outside it.
http://sandboxie.com/

The main flaw with sandboxie is it allows things to be saved to the local drive under their own directories separate from everything else. Someone can still navigate to those folders and run the programs downloaded. Other than that it is pretty locked down. Secure those directories and read the FAQ on the site and you shouldn't have any problems.

I do a lot of reverse engineering with malware and so far I haven't found any malware that can break out of the sandbox. Mainly what I find is malware that detects it is running in the sandbox and tries to trick you into turning it off and running the program.

 

[Miscthree]

Use sandboxie and lock it down so they cannot execute anything outside it.
http://sandboxie.com/

The main flaw with sandboxie is it allows things to be saved to the local drive under their own directories separate from everything else. Someone can still navigate to those folders and run the programs downloaded. Other than that it is pretty locked down. Secure those directories and read the FAQ on the site and you shouldn't have any problems.

I do a lot of reverse engineering with malware and so far I haven't found any malware that can break out of the sandbox. Mainly what I find is malware that detects it is running in the sandbox and tries to trick you into turning it off and running the program.

This seems very interesting. I will give that a try..

 

[Ben]

Interesting link Modelworks. Thanks.

As for suggestions to Miscthree, I also vote for Google Chrome OS.

You could also just try something like Unbuntu if you want a little more tranditional OS than Google.

If they are stuck on Windows you can look into Microsoft Steady State. I've used Steady State on my dad's PC (had the same problem you do with him clicking on whatever pops up) and it has helped a bunch. Although somehow he still managed to pick up something a couple months ago, so I had to start using Acronis as well.

 

[KeithP]

The main flaw with sandboxie is it allows things to be saved to the local drive under their own directories separate from everything else. Someone can still navigate to those folders and run the programs downloaded.

He could use Window 7's, or OS X's, parental controls to only allow launching of programs that you clear ahead of time.

I would also suggest spending some time on educating them. Ideally, if you could find some sites that pop up some of these fake security dialogs you could show them what to look for.

Or, as I suggested in another thread, download VirtualBox and Ubuntu and have them do all their web browsing and email in FireFox with Noscript in a Linux VM. One advantage to this idea is you could do this under Windows 7 and OS X.

-KeithP

 

[Miscthree]

I ended up using sandboxie for them. They're using it now, so far so good..been about two days though.

I had considered using parental controls but that will just deny my dad the porn he has every right to access lol. I know he's been going to porn sites, it's just not out in the open though. I had also considered simply setting up some safe sites(and cellophane the keyboard lol) for him but that would embarrass him a lot.

So I'll see how the sandboxie works for now. I love the ubuntu and chrome OS idea, I'm just not experienced to troubleshoot ubuntu and chromeOS is still not out( I think?)

 

[Emulex]

turn it off and get them an ipad or chromebook

 

[pcunite]

Sorry if just noticed this thread. You don't need to buy anything ... just use Windows 7 PRO and configure it for LUA + SRP. Read below:
http://www.mechbgon.com/srp/index.html

 

[corkyg]

Your mom should be able to put a damper on your dad's porn site visits.

 

[Miscthree]

Your mom should be able to put a damper on your dad's porn site visits.

No offense to my mom but I think his eyes wander a little bit these days. Heck I don't see anything wrong with it to be honest, I just want him to do it safely and with least computer fuss.

The SRP idea is nice but I neither have the time nor inclination for that level of administration.

I may just do the iPad or chromebook for them. Easy peasy?

 

[Miscthree]

Use sandboxie and lock it down so they cannot execute anything outside it.
http://sandboxie.com/

The main flaw with sandboxie is it allows things to be saved to the local drive under their own directories separate from everything else. Someone can still navigate to those folders and run the programs downloaded. Other than that it is pretty locked down. Secure those directories and read the FAQ on the site and you shouldn't have any problems.

I do a lot of reverse engineering with malware and so far I haven't found any malware that can break out of the sandbox. Mainly what I find is malware that detects it is running in the sandbox and tries to trick you into turning it off and running the program.

So it looks like sandboxie works, only it works too well.

My mother uses the PC for watching the stock market with TD ameritrade, which has a very secure login..every time she logs in, the TD Ameritrade server thinks it's a new machine and requires her to authenticate her login every time, which is to answer a whole bunch of questions. She's annoyed at that, and tha just isn't acceptable to me. For the time being however, she can work with it until I find a better solution. They both have standard accounts, and only I have admin rights.

Perhaps I'll have my dads account use sandboxie, and my mom can use an unrestricted version of firefox? I think that's possible??

Also is there a way to login using RDC from outside the LAN? that way I can administrate remotely?

 

[pcunite]

The SRP idea is nice but I neither have the time nor inclination for that level of administration.

It only has to be done once ...

 

[VirtualLarry]

The SRP idea is nice but I neither have the time nor inclination for that level of administration.

Why? After the initial setup, there's really no administration to worry about. And it's about as bullet-proof as you're going to get, as long as you still run Windows.

 

[VirtualLarry]

Also is there a way to login using RDC from outside the LAN? that way I can administrate remotely?

IF you have Win7 Pro, yes, you can RDP into the machine. Although, running raw RDP over the internet isn't too secure. If you got them a router (DD-WRT!) with a VPN feature, then you could VPN into their network, and then RDP into their machine.

(And if you're going to install Pro, then you had better consider SRP.)

 

[Miscthree]

IF you have Win7 Pro, yes, you can RDP into the machine. Although, running raw RDP over the internet isn't too secure. If you got them a router (DD-WRT!) with a VPN feature, then you could VPN into their network, and then RDP into their machine.

(And if you're going to install Pro, then you had better consider SRP.)

I got them a version of windows 7 pro. I have w7 ultimate on my laptop at my house. Their machine is a macmini running bootcamp.

I have the macmini connected via rj45 to the Verizon FiOS router that was supplied to them, I'm not sure if it has a VPN feature, Would you happen to know offhand if it does?

I am pretty sure it has a port forwarding feature, would that alone be enough to connect remotely?

Finally when you say it is not 'secure', what do you mean? Can someone tunnel in while I'm connected, or can they see the keys I'm typing etc etc?

 

[Nothinman]

RDP is encrypted with 128-bit RC4 by default so that part is secure. The only downside is that it provides a method for attackers to brute force passwords so if your parents have weak passwords someone could get in as them. But even that would be a terribly slow process given how Windows handles multiple successive interactive login requests.