TR Forums

I tried to see if there was a similar topic, but nothing came up with a forum search, so my apologies if I'm rehashing an old topic here. I have certain members of my family that seems to be a magnet for malware, viruses, etc. I am currently removing a nasty "FBI Moneypack" virus from their laptop as I type this. This is the second time with the same virus (although this appears to be a tougher strain than the last) and it is just one of countless times I've had a similar situation. They insist they aren't going to any dodgy websites and not agreeing to any type of installs, etc. but yet, here we are.

The machine is running Vista with microsoft security essentials, updated windows patches, etc. I've just had the idea to manually configure their DNS to openDNS or google as those have some level of protection vs. the DNS from their ISP (comcast) although I think their router may already be configured to hand out those addresses anyways. Things have gotten much better since I installed Vista instead of XP, but it still happens

So, what do you guys do to protect users (friends, families, children, etc.) from themselves and everything bad out on the interwebs? Taking the computer away isn't an option, as much as I might like that.

Buy them a Mac and teach them how to use it Or get a better security suite because MSE, while being low on system resources and with 0 false positives, is not enough for someone who is uneducated enough to click on every pop-up or go to potentially malicious sites. Just take a look at its detection rates - they are worst compared to any other similar product:
http://www.av-test.org/en/tests/home-us ... vdec-2012/
http://www.av-test.org/en/tests/home-us ... nfeb-2013/
Even AVG's Free Edition will protect better.
Soo... Yea, get a good paid security suite (from Bitdefender... or from my favorite company - Kaspersky Labs ), install it (make sure to uninstall the Microsoft's junk!), configure it properly (disable some useless options like "firewall" or "instant message scan" and such), make sure it auto-updates properly, "password protect" the changes to its settings and then see how it goes. Just remember to NEVER buy the paid antimalware products directly from the company's site - it is often cheaper to buy them at Newegg, Amazon and similar online places.

Put them on as Standard Users and don't let them know the admin password.

0. A robot may not harm humanity, or, by inaction, allow humanity to come to harm.

Logical argument thus follows:
Harm = malware infected laptop stopping them from getting amusement out of googling lolcats.
Stop malware = Priority 1.
Destroy idiot humans that do not understand malware and are thereby causing humanity to come to harm through increased effectiveness of botnets.
EXECUTE ORDER Priority 1.

I personally prefer sedatives, duck tape, and forcible confiscation of offending hardware, but some legal jurisdictions frown on this. In the meantime, third-party AV and reduced user privileges, both now suggested, can slow this down dramatically. Also, move them to a non-IE browser (if you haven't already).

.

spybot search and destroy works pretty well also, it can prevent it even showing up in a browser and prevent you from getting infected int he first place. I use it on all my rigs. one of the first things I always install...plus its free to boot.

If you can get them to use iPads for non-serious browsing, do it. Apple's iOS is well-maintained and -hardened for a consumer-friendly. My life's been much freerer of having to support my mom and siblings ever since they bought iPads. That's the real tablet revolution - it's not the touch or form factor, it's the freedom factor. I use PCs for most personal things of course (other than online finance which is safest on bulletproof iOS) but then I tend to know what I'm doing.

If you can get them to use iPads for non-serious browsing, do it. Apple's iOS is well-maintained and -hardened for a consumer-friendly OS. My life's been much freerer of having to support my mom and siblings ever since they bought iPads. That's the real tablet revolution - it's not the touch or form factor, it's the freedom factor. I use PCs for most personal things of course (other than online finance which is safest on bulletproof iOS) but then I tend to know what I'm doing.

Most recommended solution:

replace OS with
A) Windows 8
B) Linux Mint or Similar
C) OSX as noted above

Windows 8 does have exactly 2 things going for it.
1) it does everything for you: it grabs email, news feeds, social network stuff
2) Windows 8(like the other OS's above) are far more secure. fewer viruses around, more locked down
I'd probably most strongly recommend win8, as its the most similar to what they are used to. win 8 can be used with the the other options suggested

Second most recommended solution install Firefox (and hide IE). EDIT BY MOD - Captain Ned - Forum Rule #12 violation.

Third most recommended solution
Spybot S&D and Ad-Aware, I don't like these because they have a tendency to get ignored.

Fourth and least recommended option get them a physical firewall/router and literally write them a list of websites that they can visit, mommy style

clone wrote:

1st tell them nothing is free on the internet.
2nd teach them how to close suspect pages or popups

Good advice; This will fix a large proportion of the user-error, and infection is 99% user-error.

One of the best things you can do it switch to firefox and use EDIT BY MOD - Captain Ned - Forum Rule #12. That will stop 40% of that crap from installing. Next uninstall java from your computer. That will stop an additional 40%. Third, make an extra user account with a password for recovery. If the main one gets infected, there is a good chance that the backup one will be fine. Simply log into the backup account and create a new one for them to infect.

edit-----------

oh, and use sumatra as a PDF viewer.

Firefox is not the most secure browser anymore. It lost that crown years ago.

Chrome and the latest versions of IE on Vista or later are more secure browsers.

First of all, dial 911 if you have credible knowledge that they can bring about the threat to harm themselves. Be sure to listen to what they say and not to trivialize or put them down, but be empathetic, and let themselves express their feelings and have an outlet for those emotions and concerns. Then, after they have calmed down....

Wait, you didn't mean this? Wording can mean everything.

Why not title it as "How do you protect people from their stupidity?" or "How do you protect people from their computer illiteracy?"

The most secure way is going to be to set them up on Linux or a Linux-based system (tablets etc.) but that comes at the expense of all those delicious x86 programs that make computing worthwhile. If they don't have root they can't do much, and even if they did you'd be surprised how many browser weaknesses go away when none of the plugins are compatible with the OS.

Barring that you just need to educate them on how the internets works. A sufficiently stupid/naive user will get around your security no matter how hard you try.

NovusBogus wrote:

The most secure way is going to be to set them up on Linux or a Linux-based system (tablets etc.) but that comes at the expense of all those delicious x86 programs that make computing worthwhile. If they don't have root they can't do much, and even if they did you'd be surprised how many browser weaknesses go away when none of the plugins are compatible with the OS.

I think you mean delicious Windows or Mac programs?

Well, if they're noobish enough to repeatedly get their computer infected, hopefully a basic understanding of linux is all they need. It may not be as intuitive right off the bat as Windows or Mac, but even in linux basic things like web browsing and word processing are super easy for an uninformed user. You can set up a sudoers file for just what they need, install a browser with the appropriate security settings or add-ons, and voila!

Do they do anything offline? If not, these are the users for whom Chromebooks are made. They're pretty much bulletproof.

Otherwise, my standard advice is
1) get rid of Java unless absolutely necessary. Seriously, nuke it from orbit; it's the only way to be /sure/.
2) make sure Flash is kept up-to-date
3) likewise for Quicktime and other browser-accessible codecs, your browser(s), the operating system, and antivirus
4) make sure Data Execution Prevention is turned on
5) strongly consider Sandboxie to further insulate the computer from the browser
6) turn up UAC at least to defaut level
7) drop the user's account privs to "user" and create a new admin account for administrative tasks, that they don't log into normally

That browser extension that we don't mention around here: it's got a subscription called "malware domains" which might help.

I also use OpenDNS in my router and the service has all kinds of categories you can block; I've set it to block "web spam", "parked domains", "adware", and "typo squatting". By default it'll block known botnet/malware/phishing sites as well; you can also blacklist specific domains.

Charge them a nominal fee every time you have to clean up stuff. Made my mother think twice before she would click on email links and popups (back in the day).

Ryu Connor wrote:

Firefox is not the most secure browser anymore. It lost that crown years ago.

Chrome and the latest versions of IE on Vista or later are more secure browsers.

EDIT BY MOD - Captain Ned - Forum Rule #12 violation.

.

Folks, if an extension blocks ads or Flash, proposing the use thereof violates Forum Rule #12.

I understand that discussion of same will stop now.

Thanks for listening.

clone wrote:

Chrome and the latest versions of IE on Vista or later are more secure browsers.

"One-click/key attack forces IE and Chrome to execute malicious code"

http://arstechnica.com/security/2013/06 ... ious-code/

while FireFox isn't perfect rare is the occasion where I'd trust Chrome and even less than where I'd place faith in IE.

A social engineering attack isn't the same as remote code execution. That article you cite isn't a good example - in fact it's not even considered a software security bug - it's a human bug.

This on the other hand...

All browsers have flaws and you are free to make your choices, but Chrome and IE are the strongest.

This is a bit dated, but the underlying features that facilitated his answer haven't changed.

Charlie Miller in 2010 wrote:

In your opinion, which is the safer combination OS+browser to use?

That’s a good question. Chrome or IE8 on Windows 7 with no Flash installed. There probably isn’t enough difference between the browsers to get worked up about. The main thing is not to install Flash!

Firefox continues to lack integrity levels, lacks a full implementation of ASLR, lacks HE-ASLR, and lacks a 64bit version (A 64bit virtual memory address space is very handy with ASLR).

odizzido wrote:

Is there a flash (whitelist) with IE?

IE has the ability to violate rule #12, including flash, but since it violates rule #12 that makes it a bit like fight club. We can't talk about it.

Flying Fox wrote:

Put them on as Standard Users and don't let them know the admin password.

This, and this alone, will reduce your future headaches by 99%... ESPECIALLY if most of their use is just web browsing.

But I agree that MSE isn't the shiz like it used to be. I have Avast on most of the computers in my home, but I'm trying Ad-Aware on a couple to see if I like that better.

[in re Rule #12-violating extensions]

Or, you know, just uninstall Flash altogether. Not everyone needs it now that Youtube has been partially/mostly/entirely(?) HTML5ified.

Flash itself has a long history of security vulnerabilities.

kvndoom wrote:

But I agree that MSE isn't the shiz like it used to be

"Used to be"? It never was good, the detection ratio was always less than "industry average" in AV-Test's tests

Block Facebook. That should help.

Ryu Connor wrote:

Firefox is not the most secure browser anymore. It lost that crown years ago.

Chrome and the latest versions of IE on Vista or later are more secure browsers.

--- Rule #12 edit ---

edit back, hey! I read rule 12 and the post that you edited didn't violate it. No Fair!

alright. Then I guess I have to say flash is a huge problem with malware. Research on your own how to secure your browser from flash exploits.

Have to say, Microsoft Security Essentials has been worsening recently. Try a different anti-virus package. I'm fond of ESET's NOD32.

I used to work in a school so we used windows steady state and there are alternatives for win7. (WSS was discontinued for win7 and later)

Once it is setup with everything the user needs, you freeze the config.
Every time they reboot the system is restored to the way it was when you froze the machine.
User's could save their own files to thumb drives but nothing on the HD was kept through a reboot.

I recommend this sort of layout for kids who don't understand what they are doing and want to be able to play games etc.