How do YOU stop malware for the masses?

Discussion in 'other anti-malware software' started by Sully, Aug 6, 2012.

Thread Status:
Not open for further replies.
  1. Sully
    Offline

    Sully Registered Member

    Today I helped yet another person get rid of the latest "Anti Virus Platinum Gold Edition Razoo Yada Yada 2012" malware. Last week it was the same, the same as the week before that. Next week will be yet more of the same.

    This is nothing new. Windows Vista, windows 7, windows XP, windows 2000, etc etc. UAC, what does that do again exactly? lol. AV - are these truly up to date lol.

    These are all admin accounts in XP/2000, and the hybrid UAC accounts in vista/7 where there is both admin and user credentials in the users token. I haven't see this at all really in people who use LUA, but maybe that is because they understand what is going on because they have to INTEND to install something.

    Anyway, how do YOU secure your friends/family/neighbors machines - that is, "the masses" - the ones who aren't interested enough to learn, who get bolluxed up using SBIE and can barely run an AV it seems.

    I realize UAC offers more than there was in the past. But I don't put much stock in it, actually less and less the more I have to fix things. Most people I help now have newer machines with vista/7, with default settings and running 64bit OS. The browser many of them use is IE in protected mode. What good is a supposed security mechanism (if you think that is what UAC is) when it really doesn't stop infections? What good is an AV or an in-built firewall for these people? I have fixed more machines in the last year than in quite a few years.

    So what do YOU do for these situations?

    Sul.
  2. Wroll
    Offline

    Wroll Registered Member

    Those dumb fake AVs usually come through ads, so I just install adblock.
  3. ZeroDay
    Offline

    ZeroDay Registered Member

    The only real way is to educate the user, but people really arn't interestead in security untill they get an infection bad enough to disrupt their daily tasks. So that brings us back to square one lol.

    Maybe Linux?
  4. funkydude
    Offline

    funkydude Registered Member

    I tell them to use IE9 and delete any files that don't pass its SmartScreen app reputation barrier, works a treat.

    I also try my best to set as many programs to update automatically as possible, flash was my last concern which made me wonder if I should be giving them Chrome, but thankfully Adobe brought in auto updates for that too.
  5. Hungry Man
    Offline

    Hungry Man Registered Member

    I set up a computer not long ago for a friend who's never had one before. He's in his sixties and needed to use it for tax software.

    I set up his browser - Chrome with PPAPI Flash. I installed adblock as well.

    I then set up EMET with the all.xml profile. This should help him stay secure even if he forgets to update.

    And then I installed Microsoft Security Essentials.

    That's all I could do - anything too strict would have been a burden.
  6. wat0114
    Offline

    wat0114 Registered Member

    For my family's machines:

    1. XP Pro, all updated, Google chrome forced in Sandboxie in Limited SRP-restricted account. If my 10 yr old son wants to install something, I approve of it first then install it for him. He's aware not to proceed on anything that pops up out of nowhere prompting user action.

    2. Win7 HP laptop 1: All updated, Limited account IE 9 forced in Sandboxie for my teenage daughter. She rarely installs anything and she's also aware not to proceed on anything that pops up out of nowhere prompting user action.

    3. Win 7 Pro laptop 2: All updated, Limited account SRP-protected. My wife only watches her comedy and drama videos on it.

    In all cases you can see the common denominator is Limited accounts and either a 3rd party or built-in security measure is employed full time. I've had no significant issues with this approach, but admittedly I'm at arm's reach if something goes wrong, so that makes things easier. I forgot to mention EMET is installed and configured for Internet-facing apps on all machines too.
  7. Dark Shadow
    Offline

    Dark Shadow Registered Member

    How about set ups like...
    1.Standard user accounts.
    2.SRPs.
    3.EMET.
    4.Crome Based browser.
    5.Remove Java.
    6.Secunia for updates.
    7.Av - Firewall.
    8.OpenDNS or NortonDNS
    9..Offline image back up.
    Last edited: Aug 6, 2012
  8. zapjb
    Offline

    zapjb Registered Member

    I've fixed so many computers that now I can read customers minds. And usually they're thinking:

    "Why is this guy telling me all this? Its just supposed to work like a frig or a toaster. Oh, let me pay attention here so I can turn these bothersome programs off after he leaves."

    The masses, the masses they're doomed. Seriously though, until theres remote maintenance for every unknowledgeable user. Like monthly or weekly. They'll find some way to break the toaster.
  9. m00nbl00d
    Offline

    m00nbl00d Registered Member

    That's almost perfect... except for software restriction policies. The keyword here being restriction. It will only restrict anything that may try to silently install to their systems, but it won't do anything if they actually install something themselves.

    Anyway, this is what I'd do:

    1. Standard user accounts;
    2. Google Chrome modified to run with a low integrity level

    Now, Google Chrome's sandbox is even stronger because renderer processes run at untrusted integrity level. By applying a low integrity level to the main process, the sandbox gets stronger.

    With the additional benefit that Adobe Flash Player also gets automatically updated. This is especial useful if a user's machine doesn't have many resources, and you need to reduce the number of processes that run at startup that handle updates, such as Flash Player's update process and service.

    Not to mention, due to all of this, Google Chrome's sandbox is stronger than IE9's.

    3. EMET;
    4. If Java is really needed, then create a separate Google Chrome profile, and only allow Java to run in that profile and only for the domains where it's actually needed;

    5. Microsoft Security Essentials, especially considering that it's highly unlikely Microsoft will flags their own file system due to false positives and ruin the system;

    6. In about two weeks, it may be a great time to install BitDefender's TrafficLight extension. It seems they are going to solve the privacy issue I exposed. :)

    7. Adblock Plus

    8. If security is really concern, then Norton ConnectSafe/ Norton DNS instead of their ISP's

    9. Email client - I'd make them use a separate standard user account, and apply a low integrity level to it, and see if everything would work fine; otherwise force it to run with a medium integrity level.

    10. Automatic Windows Updates, of course;
    11. Windows built-in firewall to filter inbound traffic;
    12. Backups - at least the most important files, if they can't afford to have additional HDDs; a flash drive is always cheaper.

    -edit-

    Regarding Google Chrome, you could also always ask to the person what kind of websites they regularly visit, do they end in *.com, etc., then only allow connection to URLs ending in those TLDs. You can use the command-line switch --host-rules for that. There are also group policies available to download from Google's website.
  10. wat0114
    Offline

    wat0114 Registered Member

    This I see as the biggest problem you're facing. They should run full time in Limited accounts.

    If UAC is set to Default or better yet Maximum, then this will at least run applications in the context of Standard users, even while running them in their Administrative account. The problem it seems you have is these people are elevating installers at will to Administrator token level. Now the rogue apps/malware can do as they please, where they please.

    If you can get them to abdicate Administrative credentials to you or someone else competent and responsible enough to be the Administrator, then this should virtually resolve the malware issues they face, other than the crap that installs to user space directories and registry space such as hkcu & hk users. It's not the perfect solution, and likely not going to happen, but I can't think of anything else for those who click happily away on anything that arouses their curiosity, with no concern of the potential consequences. I can only assume you've educated them beyond reasonable extent to no avail.
  11. Hungry Man
    Offline

    Hungry Man Registered Member

    If they're running a Limited Account what's stopping them from just running the Admin one full time or switching to it every time they want to install malware?

    IDK, I guess I don't install this stuff on childrens computers often - only adults. Adults don't want to have to ask permission to install software...
  12. wat0114
    Offline

    wat0114 Registered Member

    If they don't know the Admin credentials then they can't install anything to protected directories. Of course they'd have to be willing, as I mentioned earlier, to give up the Admin account credentials, even though that's highly unlikely.
  13. Dark Shadow
    Offline

    Dark Shadow Registered Member

    Thanks man,good call on the restrictions.BTW the way very good catch on traffic light.:thumb:
  14. whitedragon551
    Offline

    whitedragon551 Registered Member

    Disconnect their internet. Its the only bullet proof option.

    Check out TeamViewer to make your work easier from a remote location.
  15. Dark Shadow
    Offline

    Dark Shadow Registered Member

    Sometimes I think the adults are worse off then the kids,the adults are set in there own ways.I think Sometimes the adults need parental control.:p
  16. Dark Shadow
    Offline

    Dark Shadow Registered Member

    Except for a usb device loaded with some nasties.
  17. Sully
    Offline

    Sully Registered Member

    The problem is multi-faceted.

    "the masses", as has been detailed already in this thread and many others, don't do well with restrictions of a LUA, and they don't do well with our arcane magic of security software. So how do you stop this? I don't really know.

    We can postulate in here the many different ways each of us keep the nasties at bay. The end result though, IMO, does not come from how much or how little we use, but from our knowledge.

    The task then, and a large one at that, is not how do YOU configure YOUR system, but how do YOU (the geek of the group) configure THIER systems so that this cycle stops.

    UAC is useless to them IMO. They just click "duh, OK" and the process gets elevated rights instantly. As noted, they don't want to have to learn how to install from an admin account. They get confused running an AV let alone installing and using some other security such as SBIE. Heck, even getting them to reboot into safe mode and install MBAM is a contest of whose patience is greater, mine or the user.

    I whole-heartedly agree, user accounts would be great. But "they" just don't want that. The problem is not that I (or you) support them. I (we) can easily say "do it this way or I am not fixing it again". I have done this. No, the problem is that this represents "the majority" IMO.

    When I devise my security, I already know from the start that most people can't/won't go to my measures. Nor should they have to. But when I help other people, I am constantly thinking "what can I cook up that will minimize thier issues, with minimal effort on thier part, that might also work for anyone, not just those I support".

    Which is why I ask that question here. It has been asked before, I realize. But the end result is still, in almost everyones case in this thread, I (or you) have to set that up, have to explain it and have to be near when they have problems because the security "we" set up is just too difficult for them or they disable it so they can do what they want.

    I am not really expecting there to be an answer. But I do enjoy seeing/hearing other knowledgable users input on such topics. Who knows what ideas might develop...

    Sul.
  18. tomazyk
    Online

    tomazyk Guest

    Education is what is working for me also. I fix computers only for family and friends. I had few fake AVs to remove, but never twice for same user.

    I do the following:
    1. I explain them how they got infected and what they shouldn't do.
    2. I install Ccleaner and set it to avtoclean on each login.
    3. I also instal Chrome and Adblock Plus for surfing.
    4. I instal Malwarebytes and Hitmanpro and tell them to scan system if something "strange" happens.
    5. I teach them how to kill chrome.exe process if windows wouldn't close (fake AV scan). If this is too much for them I create taskkill batch file and put it in taskbar. If scan window opens when they surf, they just have to press the button. Right after that they have to run CCleaner through Recycle bin right click option.

    Too much software usually confuses users so I try to keep it simple. So far noone came back with similar infection.
  19. wat0114
    Offline

    wat0114 Registered Member

    There's probably not much you can do then, Sul.

    Careless click-happy users + Administrative access = Disaster
  20. Sully
    Offline

    Sully Registered Member

    lol, it seems most people I help are true neophytes.

    Many are older and only use them because everyone else is. They have no interest in them other than to do email and surf. These are the worst ones because they are truly at everyones mercy. I guess I pity them.

    I have devised many schemes and spent many hours trying to educate them. They just don't care.

    The younger ones, maybe 40's and down, who came up with arcade games and vcrs and pcs, they seem to fare ok if they have any interest at all. They are also the ones who utilize the pc for more than just a mailbox.

    Sul.
  21. DX2
    Offline

    DX2 Registered Member

    The only way to stop this is a good AV that detects it before it downloads. It's a setup file that they have to run.
  22. tomazyk
    Online

    tomazyk Guest

    You have my sympathy :)

    Most people I help are younger and they are willing to learn the basics of secure computing. Because they are my family and friends they would probably feel ashamed if I had to repair their computers for same reason all the time.

    When I helped other people also, I used to charge them. If they came back with the same problem I just raised the price. Now I just don't have time to help others.
  23. Dark Shadow
    Offline

    Dark Shadow Registered Member

    When you find one let me know will ya.:D
  24. tomazyk
    Online

    tomazyk Guest

    The problem is, that most Avs are not that good at detection when it comes to fake AVs :doubt: Adding Malwarebytes or Superantispyware usually helps to close the gap.
  25. Kees1958
    Offline

    Kees1958 Registered Member

    This really works well. Everyone grasps the 1806 trick to prevent unintended (social engineering installation) and drive by infections.

    1. UAC set to default
    2. EMET only for internet facing stuff
    3. AVAST file shield only with auto sandbox and trickle updates enabled
    4. Chrome as default browser with add block plus
    5. CCleaner on demand
    6. 1806 trick deny execute with explanation how to remove the block. Running regfile to set it on on startup)
    7. IE9 in XXX mode with SBIE free. SBIE auto deletes sandbox when IE9 closes, SBIE only allows IE9 outbound. IE set to start IE allways inprivate mode with startpage search (as startpage) plus IE's tracking protection. 1806 trick also prevents IE9 to download executables.

    Regards Kees
Thread Status:
Not open for further replies.