Will Windows firewall suffice to protect PC without Internet Brows

[Eugene]

While looking at Internet-based connection as a replacement for dial-up
connection for remote support of our customers’ we’ve run across a problem of
securing our customers PCs from Internet-based threats. Buying anti-virus
software with subscription will only bring cost increase and subscription
renewal complications we want to avoid. Since computers we assemble,
configure, load our proprietary software to, and ship to our customers
require neither Internet browsers nor e-mail software do we still need
anti-virus software?

Please advise if it is safe to connect to the Internet a PC without
virus-protection software (but with Windows Firewall active) provided that
this PC will NOT be used for Web browsing and e-mail.

Will Internet-based attacker be able to detect and successfully invade our
customers’ PCs even though those PCs never send any requests to the Web?

Thank you,

Eugene

 

[Bill Sanderson]

My answer would be no.

How will these customers keep Windows updated with critical security
patches? This process is web-based. Even if no browser is visible to the
user most of the time, web-based connectivity is still in use.

Security vulnerabilities can exist in any software which operates on binary
objects. Are you sure that nobody will run a music player of some kind?

A firewall is a major help in this regard, but it isn't a panacea--there are
none.

Even assuming that you maintain these machines up to date with Microsoft
security-related patches, there may well be third-party software to be
considered as well.

What will be your remote support mechanism? How will you maintain it on the
customers machines in the event that a security vulnerability is found in
that software? What secures that support mechanism? What ports will need
to be opened in customers internet-connecting routers, if any, to allow your
software to work?

You build to suit, so it is reasonable to assume no third-party junk other
than what you need to get your job done. Let's assume Windows is getting
auto-updated--so critical patches should be applied within perhaps 24 to 48
hours of their release. There have been a number of instances where
vulnerabilities have been both known, and in some cases, exploited, in
"limited" ways for a period of time before a patch closing the vulnerability
has been available. (Limited meant less than 50 known attacks worldwide in
one recent case!) In cases like that, an antivirus that happens to spot a
payload being placed by an attacker is the most likely defense you have.

I can't say this is safe. I'm not sure how to characterize just how
"unsafe" it would be, however.

 

[robinb]

why do you have to put a paid avg on the computer? why can't you send it
out with a free version like AVG 8.0 or Avira Free?
Both do very good jobs. I tend to like AVG a bit better only because it is
more user friendly but if AVG has a problem I will put Avira on it. The
only reason I do not like Avira is its popup after it does an update to
remind you to purchase the pro but I have found a script to avoid this
completely.

This would solve your "additional cost problem" and if they decided to go to
the internet or get email at least they are protected.
Running xp firewall or vista firewall is fine and if you want more
protection advise them to set up a router which has hard wire firewall
protection. This way you are doubly protected.

robin