Antivirus protection without the Internet
June 21, 2012 5:06 PM Subscribe
We have some never-on-a-network PCs set up in a lab at work; all are running Windows Vista. We need a good way to keep up-to-date antivirus software on them without relying on an internet connection.
We can't connect our lab computers to the outside world without being required to install a lot of unwanted software, so we have elected to keep them off the internet entirely. All file transfers take place via USB drives or CDs. A few years ago, we had a student infect one of the computers with a virus they transferred from their USB drive. To remove it, we were able to install a copy of McAfee VirusScan Plus from CD, but McAfee now tells us that they no longer provide update CDs/DVDs and the only way to update and get new virus definitions is via an internet connection.
Students only rarely have access to these computers. We can forbid students from ever using USB drives in these computers, but this is inconvenient and mostly unenforceable.
What virus protection strategy should we be using, and why? How often should we update? If we get infected again, is there going to be any way we can remove the problem without connecting to the internet?
We can't connect our lab computers to the outside world without being required to install a lot of unwanted software, so we have elected to keep them off the internet entirely. All file transfers take place via USB drives or CDs. A few years ago, we had a student infect one of the computers with a virus they transferred from their USB drive. To remove it, we were able to install a copy of McAfee VirusScan Plus from CD, but McAfee now tells us that they no longer provide update CDs/DVDs and the only way to update and get new virus definitions is via an internet connection.
Students only rarely have access to these computers. We can forbid students from ever using USB drives in these computers, but this is inconvenient and mostly unenforceable.
What virus protection strategy should we be using, and why? How often should we update? If we get infected again, is there going to be any way we can remove the problem without connecting to the internet?
Do you keep windows updated? That's probably more important than having virus protection.
posted by The Lamplighter at 5:20 PM on June 21, 2012
posted by The Lamplighter at 5:20 PM on June 21, 2012
Response by poster: McAfee has explicitly said via service email that they no longer support offline virus definition updates.
Windows updates are just as painful without an internet connection. Once a lab computer is put in use, it generally stays in its original state until it's replaced. We still have one computer running Windows 2000. If we want a newer operating system, we usually buy a new computer.
I anticipate the purchase of at least one new computer, probably with Windows 7, in the next year.
posted by mimo at 5:29 PM on June 21, 2012
Windows updates are just as painful without an internet connection. Once a lab computer is put in use, it generally stays in its original state until it's replaced. We still have one computer running Windows 2000. If we want a newer operating system, we usually buy a new computer.
I anticipate the purchase of at least one new computer, probably with Windows 7, in the next year.
posted by mimo at 5:29 PM on June 21, 2012
Perhaps a different strategy is in order.
Instead of keeping antivirus software up to date, would it be possible to lock down the machine such that every time it boots it restores the entire system from a known good, read-only image? This does make things more complicated when it comes time to upgrade software, but it should mostly eliminate the possibility of being infected by viruses and reduce most software problems to "just reboot the machine".
posted by RonButNotStupid at 5:45 PM on June 21, 2012 [3 favorites]
Instead of keeping antivirus software up to date, would it be possible to lock down the machine such that every time it boots it restores the entire system from a known good, read-only image? This does make things more complicated when it comes time to upgrade software, but it should mostly eliminate the possibility of being infected by viruses and reduce most software problems to "just reboot the machine".
posted by RonButNotStupid at 5:45 PM on June 21, 2012 [3 favorites]
I've been in a few labs that have used Deep Freeze, but there are many alternatives that accomplish essentially the same thing.
With this sort of setup, any virus that the machine is infected with only survives until the next reboot, which you can schedule to regularly happen when the lab isn't being used.
posted by RonButNotStupid at 5:53 PM on June 21, 2012
With this sort of setup, any virus that the machine is infected with only survives until the next reboot, which you can schedule to regularly happen when the lab isn't being used.
posted by RonButNotStupid at 5:53 PM on June 21, 2012
Windows Updates should be your priority over virus scans.
posted by The Lamplighter at 6:05 PM on June 21, 2012
posted by The Lamplighter at 6:05 PM on June 21, 2012
What virus protection strategy should we be using, and why?
Your whole premise is a bit messed up. I can't imagine why a student would want to use a lab without internet, but fine. Taking your premise I wouldn't worry about virus protection at all.
If a machine got a virus I would reimage it and be back to a clean slate in 20 minutes.
RonButNotStupid probably has the ideal strategy, but that's more effort than I'd be willing to exert in this case. For computers that won't have web or email? Those are your primary vectors for viruses. In the unlikely event you get one in another manner blow the machine away by hand.
You could even partition the drive with a hidden partition that stores your image and a minimum boot volume. Boot from that one, reimage the first and start from scratch.
posted by cjorgensen at 7:24 PM on June 21, 2012
Your whole premise is a bit messed up. I can't imagine why a student would want to use a lab without internet, but fine. Taking your premise I wouldn't worry about virus protection at all.
If a machine got a virus I would reimage it and be back to a clean slate in 20 minutes.
RonButNotStupid probably has the ideal strategy, but that's more effort than I'd be willing to exert in this case. For computers that won't have web or email? Those are your primary vectors for viruses. In the unlikely event you get one in another manner blow the machine away by hand.
You could even partition the drive with a hidden partition that stores your image and a minimum boot volume. Boot from that one, reimage the first and start from scratch.
posted by cjorgensen at 7:24 PM on June 21, 2012
Response by poster: The computers are only used for data collection. Data are pulled off and backed up regularly; all pertinent programs could be reinstalled. It could be that having any sort of ongoing system in place is overkill, but it was a only mildly annoying last time to remove the virus via McAfee rather than starting from scratch.
posted by mimo at 7:56 PM on June 21, 2012
posted by mimo at 7:56 PM on June 21, 2012
Best answer: Windows Updates you can do using WSUS Offline Update (I actually use this to apply updates to the networked computers at the school because it's so much easier to set up than the official WSUS).
You can also disable Autorun on all the lab machines, to stop them helpfully executing virus installers when you plug USB sticks into them. This particular registry configuration also makes drives open in Explorer rather than autorun when you double-click them under My Computer.
Malwarebytes Anti-Malware is well respected and has a regularly updated offline updater available.
Finally, if you assemble deezil's recommended toolkit you should be in good shape to clean things up when they do go wrong.
posted by flabdablet at 11:13 PM on June 21, 2012 [1 favorite]
You can also disable Autorun on all the lab machines, to stop them helpfully executing virus installers when you plug USB sticks into them. This particular registry configuration also makes drives open in Explorer rather than autorun when you double-click them under My Computer.
Malwarebytes Anti-Malware is well respected and has a regularly updated offline updater available.
Finally, if you assemble deezil's recommended toolkit you should be in good shape to clean things up when they do go wrong.
posted by flabdablet at 11:13 PM on June 21, 2012 [1 favorite]
Your computers should never connect to the Internet, or they should never connect to a network?
Put them on an internal only network. Do updates internally over the LAN.
posted by devnull at 1:25 AM on June 22, 2012
Put them on an internal only network. Do updates internally over the LAN.
posted by devnull at 1:25 AM on June 22, 2012
Best answer: WSUS is the way to go. I use this method to keep several non-networked mission-critical Win7 and XP machines clean and updated. The machines are regularly accessed by lab members to pull data for analysis, so we must ensure they are up-to-date on antivirus to avoid spreading USB-aware infections.
Microsoft Security Essentials is the best recommendation if you go the WSUS route - if you use this, WSUS will incorporate antivirus/antispyware updates (and can even integrate installation of the Security Essentials). It will also bundle MS Office updates if you check the option. You can use the same system to simultaneously download multi-language and multi-platform updates (32/64 bit).
Best bet is to have one computer used to download the files, download all updates for everything regularly, and write the updates to a data directory. Copy this to an external drive and run from there once a week or so. It's easier than repeatedly burning a bunch of DVDs every time there's a new update.
(Ideally you want to run from a drive that has some sort of read-only mode; I know some larger capacity USB drives have a toggle switch you can flip to drop them into read-only. This would keep any resident nasties from getting onto the drive from any systems being updated, but you'd need to be certain that the computer used to do the downloads is itself clean.)
posted by caution live frogs at 7:33 AM on June 22, 2012 [1 favorite]
Microsoft Security Essentials is the best recommendation if you go the WSUS route - if you use this, WSUS will incorporate antivirus/antispyware updates (and can even integrate installation of the Security Essentials). It will also bundle MS Office updates if you check the option. You can use the same system to simultaneously download multi-language and multi-platform updates (32/64 bit).
Best bet is to have one computer used to download the files, download all updates for everything regularly, and write the updates to a data directory. Copy this to an external drive and run from there once a week or so. It's easier than repeatedly burning a bunch of DVDs every time there's a new update.
(Ideally you want to run from a drive that has some sort of read-only mode; I know some larger capacity USB drives have a toggle switch you can flip to drop them into read-only. This would keep any resident nasties from getting onto the drive from any systems being updated, but you'd need to be certain that the computer used to do the downloads is itself clean.)
posted by caution live frogs at 7:33 AM on June 22, 2012 [1 favorite]
AVG has a free edition, and you can manually download definitions for it here.
posted by Evilspork at 12:08 PM on June 22, 2012
posted by Evilspork at 12:08 PM on June 22, 2012
This thread is closed to new comments.
a) students load files from their USB, and then have a CDRW drive that writes "scrubbed" files that are loaded on the other machines.
b) put a second NIC on the machine, and allow the protected hosts to copy off of a share drive on that machine (i.e., the machine resides on two networks, firewalled appropriately so that the protected machines can only get to the share drive, and the external world cannot get to the protected subnet).
Another option is to switch from McAfee to one of the virus vendors who does support offline virus definitions (Kaspersky, Avast, Clamwin, AVG, Symantec). Are you sure this isn't supported by McAfee too?
posted by Runes at 5:20 PM on June 21, 2012