Most idiot-proof, lightweight, priven-reliable Antivirus?

So Security Essentials provides a reasonable degree of security in a lightweight, non-stability-affecting package. However, it doesn't quite offer the level of babysitting or the protection that I need.

I've needed to supply some PC's to some mainly/formerly-Mac users to work on a side project for me - but as expected, after our trial run I've discovered that in terms of 'tech common sense', these guys are complete idiots - they're taken in by every single morsel of social engineering they come across and click on every single thing they shouldn't, then blame the computer.

Neither I nor my staff can deal with entitled Apple-addled morons calling us up every day going 'the computer did x' - but since we're working entirely in a Windows environment for this project, supplying them with Macs is not an option (and neither is using a Windows VM in OS X - the Macs will be catching fire at the level of performance the software will demand in VM of a Crapbook Pro).

What I need is a much more heavy-duty level of protection for each PC than something like Security Essentials provides. Browsing / drive-by protection, social engineering countering, as well as regular antivirus/malware protection. But it's imperative that it not affect the stability of the host PC and doesn't take a hefty hit on the speed (the machines range from i7 LV's upwards).

Email protection is not relevant - everyone accesses one of my Exchange clusters and that has industrial-level antivirus / antispam, priority is Internet-browser activity protection. It would be simpler if the guys were all in one location, but they are distributed so it's much harder to put in heavy-duty endpoint protection further up the stream from the PC's.

Any suggestions?

 

Microsoft Security Essentials coupled with UAC should be enough for most people. That's a pretty all encompassing security suite.

I think your issue here can be solved with UAC on max settings, it sounds like they need protection from themselves more than anything else and UAC is good for that.

You could also try Avira antivirus.

As for browsing protection I suggest either Chrome (If you use stable enable the XSS auditor in about:flags) or IE9 in protection mode. You can also run the program Spybot Search & Destroy and "immunize" your computer. This should use the windows host file to block certain known malicious sites.

I think spybot will help a lot since you're looking for web security.

You can also look into using other host files such as this:
Blocking Unwanted Parasites with a Hosts File

And use that with spybot. That website will also give instructions on how to modify the host file.

So basically, UAC + Host File should be plenty.

 

Interesting challenge

So, can we assume that those machines will run in a fixed configuration, with a fixed set of software applications? It is possible to lock down such a machine hard, defeating most of the viruses designed for idiots. First off, you start by having UAC set to maximum level, and only allow your users to log in as standard users. Don't give them an admin password...

Next, here are some steps to take (notice that each of these results in some reduced functionality; you'll have to decide whether your people can live with that):
- Take away their ownership of their startup folder, and have it owned by the admin, then give them read-only permissions for that folder.
- Do the same for their run keys in HKCU.
- Do the same for HKCU\Software\Classes. Now this one is potentially problematic, as some crummy software may insist on messing with these every time it starts up. You'll have to test if this causes problems.
- Do you need Java? If not, simply uninstall it.
- Same for Javascript: If it's not mission-critical, disable it. I am assuming here that these computers are for work only. If your people want to goof off browsing the web, have them use their Apple toys...
- Depending on the software packages you need, lock down the startup folders for these as well. Examples are the Startup folders for Microsoft Office.

I think the above should pretty much cover you, anybody else to chine in with additional steps, feel free to chime in. Oh, and none of the above will have any effect on performance, they all come for "free"...

 

Thanks for the reply so far.

I forgot to mention - this additional, and even trickier, step.

The user needs administrative privileges. There are a couple of legacy apps which need it, but more than that when we tried locking the machines down, my staff was faced with a torrent of 'I can't install Spotify' 'I can't do X with iTunes', 'something in Facebook doesn't work', etc. Java - mandatory I'm afraid, as is Flash.

We need these guys because of certain things they bring to the table - and we're definitely not talking brains. And consequently it needs to be personally usable to a degree.

Our lock-down efforts failed when one of my colleagues lost her rag and said "**** it, I'm giving these [redacted] administrative rights".

We have master images of all the notebooks, so it is a fairly trivial matter to return each machine to the state we would want them to be in. But I'd rather my people not be wasting time constantly needing to do that (so far it's only happened a couple of times).

Chrome - yes, people are using it. Because everyone types their search queries into even a Firefox address bar, we've got everyone on Chrome. But you're dealing with the kind of types that on being redirected to an XP-like 'You have a Virus' fake malware page on Chrome, will do everything the fake malware asks in order to get it installed before calling us.


It's a tall order I know, but I need something that will protect these guys as much as possible from themselves, while the machine is relatively open to installation of new software, etc.

 

I like MSE since its free, not intrusive and seems to work pretty good.

 

Seconded.

Mr. Mysterious

 

Do some people ever read the posts? Or do they just reply to the title?

 

Both, just scanned.

If the title cant say it all, its probably not a good title.

 

Problem is, MSE isn't idiot-proof. Most of the relevant drive-bys / malware / socially engineered installs scoot straight past it.
Also, I say why in the first line.

 

Man, I was thinking the same thing...

Well, now that one kills you right there. There is no way to secure a system if you have idiots operating it as admins; no way at all.

No, not really. You can always allow these things to run even in a locked-down environment as I described, but it' going to be work: You need to figure out what particular idiocy it is that makes the app require admin privileges, and then you can selectively add permissions to make that possible. But, I know only too well that that's work, and you may or may not be prepared to invest that kind of work.

Sigh...

Heh, well, that much I gather...

That's not a tall order, it's an impossible order. Sorry.

Correct, and the same is true for any other anti-virus software. There is no way to secure a computer without strict enforcement of security boundaries, and that can only be done by a harsh enforcement of limited user privileges. Otherwise you'd be asking for the perfect, intelligent anti-virus software. Such a thing doesn't exist. All existing anti-virus packages are close to useless, in the sense that the protection they give you is absolutely minimal.

 

if it's a work computer for a particular performance oriented project, why does it need iTunes and facebook working? Just lock it down imo. There's no reason to waste resources on making facebook usable if you are doing a specific high performance oriented project.

 

I agree with that sentiment. Seems to me that somebody in management needs to decide whether it's more important to play Farmville, or to get the project done...

 

Your looking for something stronger at blocking malwares before they reach the system, lightweight, easy to use, efficient and quite proactive to forget the mistakes and minimize the user interactions with the system (firewall pop-up)

firefox with wot add-on, adblock plus, redirect remover
and
a pretty lightweight, easy to use and proactif internet security software: look at avira premium security suite or eset smart security (not panda because of too much false positive)
sandboxie,
scheduled windows defender scan or hitman pro

or a stronger but heavier solution:
firefox with wot add-on, adblock plus, redirect remover
sandboxie,
gdata antivirus (excellent detection rate which fight clicking and download mistakes),
spyshelter (good proactivity, minimize the user interactions with the system and solve some weaknesses of gdata),
windows firewall or any no hassle firewall (comodo firewall is not idiot proof, pctools firewall is more)
scheduled windows defender scan or hitman pro

here are more data:
performance: http://www.av-comparatives.org/images/stories/test/performance/performance_aug_2010_en.pdf

firewall only (not reliable for internet security)
Results and comments - www.matousec.com

proactivity
Virus Bulletin : VB100 award - latest comparative
http://www.av-comparatives.org/images/stories/test/ondret/avc_retro_nov2010.pdf
linux: Shadowserver Foundation - Stats - VirusYearlyStats

update:
a corporate review of the main internet security suites
http://www.av-comparatives.org/images/stories/test/corporate/corporate_review_2010.pdf

I forgot secunia PSI to bring some long lasting stability to the system

the automatic pilot of the gdata firewall is a good solution to avoid pop-ups
I found some holes in it with the comodo leaktests but like 95% of the firewalls which won't pass the tests anyway (I successfully passed the test with the comodo firewall)
I forgot a hips in the first solution

so here are the new solutions:

the lighter one:

firefox with wot add-on, adblock plus, redirect remover
avira premium security suite or eset smart security
clearcloud dns
sandboxie,
scheduled windows defender scan or hitman pro
HIPS: emisisoft mamutu or safensec personal
Mamutu + Avira Premium IS, i need 100% EMSI team confirmation - Emsisoft Support

another heavier solution:

firefox with wot add-on, adblock plus, redirect remover
clearcloud dns
sandboxie,
gdata internet security with web and pishing protection disabled and automatic pilot on
HIPS/ANTILOGGER: spyshelter
scheduled windows defender scan or hitman pro

or a little bit lighter one:

firefox with wot add-on, adblock plus, redirect remover
clearcloud dns
sandboxie,
gdata internet security web and pishing protection unabled and automatic pilot on
HIPS: safensec
scheduled windows defender scan or hitman pro

the new emisisoft anti-malware is now a good contender to gdata antivirus
I like the HIPS in the comodo firewall, more effective than safensec (for knowledgeable users)
defensewall HIPS is another good solution as well
YouTube - DefenseWall HIPS 3.0.5 Review

 

Exactly! If they're getting paid to perform this "side project" (as the OP refers to it), then they have no business being on Facebook or iTunes while working. I say lock them out of anything other than work-related sites until the project is completed.

 

If they can't keep their computer free of malware they don't deserve any admin rights.
That is why I thin OS X is a bane it encourages stupidity in many users.

 

Thanks. I'll read up on some of those.

 

I've had to use facebook at work. Social media plays into multiple legitimate jobs.

IDK about itunes though.

 

been using avira antivir...free and reasonably reliable

 

If 'moronic browsing' is the main/only issue, I'd recommend Sandboxie.
Users can still browse away, click on everything but as long as you configure SBIE decently, not much can happen to the real OS.

Just make sure that only one folder is allowed for downloading stuff, use the 'Drop my rights' feature for a LUA browsing environment while in admin mode, etc.

 

That's what I thought too until the magic world came to me: idiot-proof
first, we should expect to see people downloading malware from sandboxie to the real system and do things we can't even imagine (some exaggeration here) sandboxie is probably enough to someone who knows what he/she is doing
secondly, there are still weaknesses to the sandbox and HIPS features that's why a combination of several features should come first
and finally, with more and more internet securities coming with a sandbox and a HIPS there is probably more and more malwares able to bypass it, coming everyday

here are some infos about the weaknesses

Handbook of information security - Google Books

Defensewall, GeSWall, Sandboxie and BufferZone pitfalls
DefenseWall Personal Firewall at Bits du Jour

DefenseWall Personal Firewall v3 Review with 75 License Giveaway | Raymond.CC Blog

A solution to the pitfall for sandboxie. Example at the end of the video

here is what drop my right in sandboxie and admin do together
Sandboxie drop rights function

 

Honestly? The only "idiot-proof" way to do this securely is to create a master image (with mse/flash/java all the goodies installed), and then force everything to run in either a VM or a sandbox (recommend sandboxie). Destroy the sandbox/vm every day, or every session if you like.

It'll be a pain for you to reimage but that should only need to be done every month, barring any major security patch release.

 

Would it make me (when using a standart user with UAC on max level) completly safe from applications to give themself "autostart" rights when doing that? Wouldnt i also need to do the same with some autostart registry?

So in case some program wants to move itself to autostart, UAC will alert me?

 

I used to require a similar solution for a church's Youth Group computers. To make it all work, I'd use DeepFreeze. Basically, restore your 'safe' image every restart, minus specific files/folders. Make a single folder on their desktop that they can perma save to, plus vital folders. (Favorites, programs they need to make changes to regularly, NOT the browser main directories.)

That should avoid 99% of malware, that likes to live in their own Program Files folders, random Windows folders, or AppData. Plus reduce the panic and length of support required. ("Just restart, and it'll go away!")

That, combined with Avira doing sched scans of the safe directories, and you're golden.

 

We've looked at solutions like this. In fact, far more sophisticated iterations. The key is that the machine needs to be personally usable, because the usage of the software is a part-lifestyle solution.

I think we've got more testing scheduled later on. For now though the thinking is something on the lines of erig007 combined with a hosted proxy.

 

About the only way to stop those pesky "You have a virus" box's is to advise them that under no circumstance are they to click yes. Tell them immediately upon getting the box they should call you or IT, however you have it set up. My daughter and son-in-law got hit by those and I told them to ask me for futture reference. No more issues and they have only had the issue once each since but no infections.

The best defense is an education! But maybe another answer may be if they are legacy apps what about Windows 7 Pro and a VM of XP?

 

HA


Been there, done that, wanted to throttle necks. People who aren't interested arent interested in being educated.

Besides, I made one of my secretaries cry once when she sweetly responded to my query about a schoolgirl error she made with "hehehe, I'm not very good with computers", after which I asked "then would you like to tell me why I employed you to sit in front of one all day?".

Yes, I am that guy.

So no, education is out. Dumb people will be dumb people - Apple knows that and they do very well out of it especially in the current climate of 'the culture of me' - and I'm looking for a similar approach to security. Of course, the need for a degree of open access to the system makes it much more complicated.

We're still evaluating the multilayered approach, starting with an economical UTM at each location (which I hoped to do without, but I think is probably unavoidable if we want to be as idiot-proof as possible), hosted proxys and various on-PC suites, including some of the ones suggested here.

 

Hire someone with half a brain to look over their shoulder as they work, and tell them "you can click this, don't click that." It'l probably save you time, money, and digestion problems in the long run.

Okay, kidding. Half-kidding. Semi-serious.


But despite what you just said, I have to say what Tanware said. Tell them not to click things. You're doing all you can with your needs on the software level, but the weak link in the chain is the PEBKAC.

That's basically what I had to do with a computer I built for some clients. They had used Apples before and (randomly) wanted a Windows PC. In the end, I had to take away admin rights (which is sad, since it's their own personal computer), turn UAC to max, and load up MSE, Malwarebytes, and play games with Windows firewall. It's a semi-crippled computer, but it saves me a 10-minute drive every week.

And I told them not to click things.