How to disable downloading on employee’s computer?

Topic

New Reply

So, an employee here keeps getting malware and trojans on her computer. I have had to debug it 3 times in the last 5 months and most recently her computer was almost unusable. I am not in IT, nor am I very good at it without googling the issue first. The problem I’m having is that our work requires us to download semi-frequently. We do graphic design/printing, and some customers send files that need to be downloaded or we need to download fonts to match a certain job. I looked up most of the viruses that she got and found they are usually from free software. I don’t want to completely disable downloading or make it obvious that I am restricting her computer, but I want to make it so she cannot download any programs and I cannot afford to spend another day fixing her computer when I could be doing actual work. Her computer is also linked to a lot of expensive equipment and software. Her computer houses our network and our backup files, in fact for me to access client files I need to be networked to her computer. Any ideas?

Reply | Quote

Replies

SD,

Welcome to the Lounge as a new poster! :cheers:

The first thing I’d do is get her a new computer and move the one she is currently using to serve strictly as a file server for the others in the office. This will mitigate the risk some. You definitely do NOT want your very important business files on a computer that regularly gets infected and as there is no practical way to stop her from downloading selected files it is IMHO the best first step.

Next, on her new computer I would install a Hosts File that would limit her from going to known bad sites to download again not a complete solution but another link in the chain.

Next I’d install a multi layered malware defense like Windows Defender (free with current versions of Windows), Malwarebytes Premium, EMET. There are other tools but I’ve used these for quite some time w/o problems.

Even with this level of protection, short of disconnecting her from the internet, there is no silver bullet. I would advise job counseling with a very strong emphasis on the impact following the rules has on her continued employment.

HTH :cheers:

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

Retired Geek,

Your suggestions about Antimalware applications are excellent. A variation suggested to me by two other computer gurus would be to use AVAST free in lieu of Windows Defender.

Would you use something to remove spyware?

I’m finding this conversation to be of great interest as I’m a medical and science writer who needs his computers. When I have a heavy workload, I employ others and may face this problem down the road.

Charles:D

Reply | Quote

I’m a medical and science writer who needs his computers

I would pay for a good AV product and have a good backup regime, it’s only your livelihood you are playing fast and lose with.

cheers, Paul

Reply | Quote

I’d have sacked her after the 3rd infection – you only get 2 warnings.
Plus what RG said.

cheers, Paul

p.s. If she can install programs she must have admin rights. Take them away immediately.

Reply | Quote

If she can install programs she must have admin rights. Take them away immediately.

Paul, thanks I missed a BIG one there! :cheers:

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

Another vote? I go along with all the above. There is no reason for an employee to have the most critical computer, that’s part of why there’s Servers running Networks.

Before you wonder "Am I doing things right," ask "Am I doing the right things?"

Reply | Quote

Yes, it’s either all or nothing with being able to download anything and you would do that by creating a local user account for her without admin rights for her to log in with.

Whenever she tries to download anything, a UAC will pop up where she will have to enter the admin password, but this would entail you also creating an admin account on her computer with your password.

If she’s getting that much malware and Trojans then I would question the effectiveness of your antivirus program.

I use Norton Security Deluxe and if anything untoward is attached to a download, it will block it or the download.

A lot of freeware has adware bundled with it and for the most time can be avoided by unchecking the boxes that will bundle these unwanted programs – provided you look for them before hitting Next or Install.

Unchecky is a program that can do that for, but it isn’t infallible so I’ve heard and some of the PuPs install anyway whether you uncheck their boxes or not and in some cases, the PuP is embedded in the program.

http://unchecky.com/

Can you remember the names of any of the infections you have had to deal with ?

Reply | Quote

wow, quick replies! I will have a discussion with my boss about having the computer as a server only vs. making her use an account without admin rights. I do not have say in the firing process, i just get to deal with the mess, lucky me. We are working on getting another computer for her to use as her primary computer, then the one with our files will just sit in the other room to print jobs. We have a complicated RIP software, Versaworks, on that computer and if we move it to another computer we will risk losing custom profiles we made in it. Once we get the new computer she will share an office with me and be monitored pretty closely, but until then she works in the production room out of sight.

I appreciate the tips and will look into them to see whats best for us. Thanks again

Reply | Quote

I have observed that some people seem to get more viruses / spyware than others. Occasionally, you find someone who never gets infected. I would find the person in the company who rarely if ever gets infected, and I would let that person, and that person only, do the downloading. And as mentioned by others, I would get one computer that the downloading occurs on, and connect only that one computer to the internet, with the very best antivirus protection on it. And I would not put that computer on the company network; use flash drives to move stuff between that computer and other computers. And be sure to regularly backup everyone’s data.

In this scenario, there would be two extra computers — one would be the file server, and the other would be the internet-connected computer. These two computers would not be used by anyone, except that the internet-connected computer would be for downloading/uploading files; and it would be used only by someone who is not prone to spyware/viruses.

Also, users should not be allowed to install anything except approved software.

Sometimes you have to get radical in order to stop these sorts of infections from occurring. If your company is not willing to take radical, strong action, the problem will continue. It is up to your company to decide this; there isn’t much you can do about it if your company doesn’t make the decision to do it.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

Reply | Quote

Our company is so small that it is the boss, who oversees another company, myself and the girl who collects viruses. one would think that with so few people this issue would not occur. We have decided that we will get her a new computer asap and have the important computer available exclusively for print jobs and once she has a new computer in my office the internet access on the other computer will be heavily restricted and/or disabled. I appreciate everyone’s advice. you have been a big help in determining what we need to do

Reply | Quote

I don’t want to completely disable downloading or make it obvious that I am restricting her computer, but I want to make it so she cannot download any programs and I cannot afford to spend another day fixing her computer when I could be doing actual work. Her computer is also linked to a lot of expensive equipment and software. Her computer houses our network and our backup files, in fact for me to access client files I need to be networked to her computer. Any ideas?

If you’re not the companies IT tech or her boss then it’s not ANY of your business.
What she NEEDS a sit down and some very clearly laid out stern warnings from those directly in charge.
YOU could find yourself on the street with HER if they find out you were tampering with any of their expensive systems that were infected.

THINK ABOUT THAT INSTEAD.

And if you actually are her boss then that’s on you for allowing this to continue.
If you can’t sit her down and do what needs to be done then get someone who can.

Reply | Quote

If you’re not the companies IT tech or her boss then it’s not ANY of your business.
What she NEEDS a sit down and some very clearly laid out stern warnings from those directly in charge.
YOU could find yourself on the street with HER if they find out you were tampering with any of their expensive systems that were infected.

THINK ABOUT THAT INSTEAD.

hey man, calm down. I am her direct supervisor, and I was asked by the company owner to fix the issue. As far as my boss the owner, is concerned I am the IT department, the supervisor, lead customer service etc. I am beating around the bush with her because I have been asked to. Thanks for the lecture though.

Reply | Quote

hey man, calm down. I am her direct supervisor, and I was asked by the company owner to fix the issue. As far as my boss the owner, is concerned I am the IT department, the supervisor, lead customer service etc. I am beating around the bush with her because I have been asked to. Thanks for the lecture though.

Asking some one to calm down is diverting the issue that you and her could be on the street. Think about that, not answer, nor redirect blame to Clint or others.

Reply | Quote

Asking some one to calm down is diverting the issue that you and her could be on the street. Think about that, not answer, nor redirect blame to Clint or others.

That was directed to a post we found was not a rules complying reply and thus was removed.

Reply | Quote

Thanks for the lecture though.

No problem. She must be valuable, otherwise she’d be out of there.
Thanks for the clarification.

Reply | Quote

ALL of the above initial recommendations are sound and easily implemented. [excluding the firing suggestions which I can imagine those saying it have stood in your shoes and had to deal with a similar employee more than once…understandable but not an option.] And should be.

Another option would be to switch to OpenDNS as your DNS Server. Their business Enterprise, (especially) Insight and Umbrella can be of use. Effectively it would allow you to block sites she has access to and well as some OpenDNS intercepting of potential malware passing through their system on the way to you. This is no substitute for hardening off her PC and the rest of your network however. Just another layer and some oversight capabilities. I am not certain however, if it is intended for small networks.
https://www.opendns.com/enterprise-security/

How-to Install & Configure Windows 7, Security Guide
Tech Support Guy
https://forums.techguy.org/threads/how-to-install-configure-windows-7-security-guide.1022742

Reply | Quote

Fascist Nation,

Please tell me more about OpenDNS. I make my living as a medical and science writer and need my laptop.

Thanks.

Charles

Reply | Quote

Charles,

On occasion I’ll run SuperAnti-Spyware but I always browse with NoScript, uBlock Origin, Disconnect, WOT and a good dose of common sense and thus usually don’t have a problem w/spyware. A little dose of CCleaner to clean out cookies I may temporarily let through also.

HTH :cheers:

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

I received a notification of a post asking for more info on OpenDNS but it must have been edited.

However, this is something else that OpenDNS provide which may be of interest.

https://www.opendns.com/home-internet-security/

Reply | Quote

If my facts are straight, you are a 3- person company- a boss who is largely offsite & uninvolved, a woman who is causing the problem who the boss will not fire & replace, and you, stuck in the middle, as the person who has to assume all the duties that the employee cannot handle herself, and the boss will not take the time to address. So you get to do most of the work. I’m guessing you’re overloaded, as a result. If you weren’t, fixing her computer might be an annoying recurring task, but it wouldn’t be so stressful.

Going on from here to a bit of inductive reasoning: it would appear you are tasked with whatever the boss WON’T handle and the woman CAN’T handle. So YOU are the most valuable person in this threesome, in actuality. I’m also strongly suggesting that, unless the woman possesses job-related skills that are difficult to replicate, that she is most likely either a relative of the boss, a relative of a close friend of the boss, or is in a sexual relationship with the boss. If none of these are true, then it is most likely that the detached boss just wants to remain detached, rake in his profits, and not have to be bothered with the effort to hire anyone new.

The next question, then, is why YOU elect to stay in this position. It would seem to me that your best solution would be to find another job that would be less frustrating. Unless you have a black mark on your record that makes securing a new job very difficult, or you are now working at a self-learned experience level and (hopefully) a commensurate salary that would be beyond your reach at another company, because of the lack of proper “credentials”, why are you not testing the waters and looking for an alternative position? Are there issues in your own family (ex. small town without other similar opportunities and a spouse who doesn’t want to move) that are keeping you from doing so, or do you have personal insecurities that are holding you in place?

Note: “Inductive reasoning” means (largely) guesswork, and NONE of the above may be applicable in your situation. It’s just that I’ve seen so many others in similar situations discussed on blogs for my non-computer-related profession that I think they MIGHT also be applicable here. If none of the above are true, why not start searching for another job opportunity, especially if you can do so without your boss finding out? If you secure one, you can then either accept it outright, or use it as a cudgel to extract better working conditions and better salary at your current job, and perhaps even a firing of the miscreant employee, as he may well fear losing you and your jack-of-all-trades capabilities more than he fears firing the employee, or undergoing the effort of finding a replacement for you.

Reply | Quote

The key here is education. I’ve been running with Windows Defender (Windows 10) or Microsoft Security Essentials (Windows 8 and earlier) for many years, without ever getting a malware infection myself. I’ve “demalwared” many computers that were infected in spite of Avast, Norton, McAfee, and a host of others. (Personally, I wouldn’t recommend Avast over Windows Defender.)

The “bad guys” try to make their software FUD (Fully undetectable – at least for current scanners http://krebsonsecurity.com/tag/full-undetectable/), and it appears that they succeed for the most part. It doesn’t matter what anti-virus you’re using. You have to use that anti-virus scanner between your ears instead.

PUPs are probably the biggest problem that I encounter. I’ve come to believe that most AV/security products don’t ever catch these. In most cases, the solution is to observe when installing something. Never take the default choices. READ what the installation screens say. Most people don’t read anything – they just click. So, educate this person or take away her download privileges. It would probably be less costly for you to do all of her downloading and then hand her the files on a USB Flash Drive.

Of course, take common-sense precautions. I like the idea to use OpenDNS.

Reply | Quote