Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Honey, my laptop is acting funny again - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Honey, my laptop is acting funny again

It's a phrase that causes dread in the hearts and minds of many a security professional, including myself.

The firewall is on and tightly configured, AV is is installed .. all the usual precautions are in place but inevitably, somehow, every few months, the system becomes infected.

With three family laptops in the house ... well I think you see where this is going.

My wife and kids have been resistant to move to linux systems so I've been considering running a linux hosts with Windows VMs that I just revert to snapshot as needed.

I know I'm not the only one who is in this situation so if you have a better solution, send it in and I'll add it to the diary.

If you're in the same boat that I am, check back as someone may have a solution for you.

Oh, and, uh .. in addition to fixing the laptop, I have a "honey-do" list so I may take a bit to get back to you, but I will.

Anyone know how to install a built in dishwasher?  ;)

Christopher Carboni - Handler On Duty


140 Posts
Apr 25th 2010
been using linux myself since the 90s; not going to impose what i see as a security thru obscurity measure on my family. in addition to what you've done and making sure all software on the boxes are updated relatively frequently, i just don't give my family admin rights and haven't seen them get into trouble.

135 Posts
Have them use Macs. User-friendlier and Unix underneath if you need it.
Steve Campbell

7 Posts
We routinely see current drive-by malware attacking both admin and limited users. Granted, cleanup from an attack against a limited user is typically much faster and simpler, it's by no means a guarantee that you'll be malware free.

40 Posts
We're a Mac family and the only issue the wife has ever seen was an obscene pop-up when a friend of hers got Koobfaced. We use OpenDNS for a little extra protection, and have the occasional lecture on the good the bad and the ugly of the internet...

47 Posts
Implement the free version of the Astaro Web gateway. Best thing I ever did. Stopped random infections across my entire home netwrok

1 Posts
If running Windows, take away the admin privs, enforce updates, load Firefox with AdBlock, WebOfTrust and NoScript (preconfigure this). I've also heard good things about Microsoft's "Steady State" app.

If running Linux, consider the LTSP and centrally-manage the primary image.

For the dishwasher, I found it easiest to set it where it was to be and built a frame around it. I then set a 1" thick butcher block on top for a prep surface and to minimize vibration. Then I just slid it out, drilled holes to drop the power to my circuit breaker box and connected the hoses (you really want it to have its own breaker). Slid it back in, screwed it in place and let it run. I did not connect it to my network. ;)

4 Posts
I have hardened Ubuntu running Sun (Oracle?) virtualBox with Windows XP inside VirtualBox. "Harden" is in the Synaptic Package Manager.
1 Posts
Hopefully the reason the kids are resistant to switching to Linux is not gaming, as there may be some weird driver / graphics problems in a VM...

48 Posts
Making sure they don't have admin rights and keeping everything up to date is a must. You can also install DansGuardian with an AV filter like Clam on it. It is free for personal use and quite effective. I do it at my house and haven't had any issues.

4 Posts
I use a combination of local user with Software Restriction Policies and don't have any issues. They can't write places they can run and can't run places they can't write. Combine that with some decent local hosts files, Firefox with NoScript and AdBlockPlus and it has been problem free.
1 Posts
Steady State rocks for exactly this kind of thing. Kids enjoy too many games to be trying to play inside a VM. Just have to teach them not to save documents, etc to the local machine.
1 Posts
Like Dale, I'm running a free UTM, at home and work. Work may change now that we have some grant $. Untangle is also a great solution. The only thing I wish Astaro had was IMAP email scanning. Then again, my email provider scans for threats, so I may may move to Astaro anyway. Regardless, a free UTM is the only way to go. I just setup my MIL's home network. An old box, two nics, maybe some more RAM, and good to go. Saves on headaches. After that, I set up one for a friend. I have decided, being the cheap bastard I am, I'll recycle an old box and buy used wireless AP's off of Ebay. With a box for free, $50 in RAM, $20 for a second NIC, and $30 for a wireless AP (I prefer Linksys running Tomato) you have a great set up for less then a $100.

On all hosts, av/anti-malware. For MS hosts, Microsoft security essentials. No Admin rights.

At least that is how we roll. Your results may differ.
Lt. Art

4 Posts
Dollar signs don't show up? It is less then 100 for what I described.
Lt. Art

4 Posts
What I would do is install Windows along with anything they normally use and then take a image of the hard drive using PartedMagic (a live Linux distro trying to fill the OSS niche of Ghost/Partition Magic) with partimage.

Whenever the machine gets infected simply image it.
Lt. Art
1 Posts
Something my windows guys are deploying on all our work laptops are VHD. This allows you to install windows to a virtual HDD file rather than a partition. So you can have multiple installations of windows in a single partition in separate VHD. so we have our live windows installation and also a backup installation that we can go to should the primary fail. Maybe an option for you to allow easy re-imaging and reverting to known good images and not confuse the issue with linux and virtual machines
Lt. Art
1 Posts
Having 3 kids, I am always concerned with my multiple computer household getting infected. What I have done is created a Linux bootable flashdrive that I have for each machine. I installed Puppy Linux(personal preference)on the flashdrive and made it readable only. We do not mount the hard drives to keep them from getting infected as well.
Lt. Art
1 Posts
My wife's laptop is running Windows XP with full admin rights, has no personal firewall and no antivirus. The only security in place is on the router with a NAT based firewall and WPA2-AES encryption on the wireless.
Email is virus/spam protected by Google/Microsoft/Yahoo.
In three years I have not had a single problem so far.
Educating users on how to avoid infection is far more effective than trying to block the user from getting to the source of infection, I find.
Lt. Art
1 Posts
Taking away admin privileges and then enforcing updates can be two contradictory things... Firefox comes to mind.

If someone were to come to market with a sandboxing application that was one step up from removing admin access, that is, you have admin access, but everything can be reverted in a CVS/Wikipedia like fashion, and every component is isolated from doing damage / stealing data from another component. I'm sure there'd he a huge market for it.

However for this kind of thing to work in a usable fashion you may have to change so much of the OS that you'd have to go back to the drawing board. The Iphone security model is a nice parallel. When was the last time you had a user complain about their iphone/pad acting funny? The sandboxing is so integrated they just remove any app they want and it is gone.
Lt. Art
1 Posts
Hey HOD,
Even "Untangle" is a good UTM and its user friendly that's "GUI".

You can download form ""

14 Posts
I personally use Sandboxie (only for Windows). It is a very nice tool that not only allows me to sandbox any program that connects to the internet but also have features to delete the content of the sandbox after the program is closed, force a specific program to run sandboxed or even drop the rights even if you are running as a local admin. For example, if your PC gets compromised by visiting a website, everything is wipped out after you close your web broswer.
3 Posts

Sign Up for Free or Log In to start participating in the conversation!