PC quarantines raise tough complexities

The concept of quarantining PCs to prevent widespread infection is "interesting, but difficult to implement, with far too many problems", said security experts.

It was mentioned by Microsoft's security chief Scott Charney that ISPs could be allowed to quarantine infected PCs in "infection wards" to ensure the machine is cleared of malware before allowing connection to resume.

In an e-mail interview with ZDNet Asia, Michael Sentonas, McAfee's CTO for Asia-Pacific, questioned the effectiveness of cutting Internet connection off a computer, when updates on security software and operating system patches can be done only online.

"There is also the issue around educating consumers or non-security professionals on what to do if they are infected and quarantined. Many non-security trained Internet users understandably leverage the Web to resolve issues. How are they going to achieve this without Internet [access]?" asked Sentonas.

Other uncertainties pertaining to resolution may also be difficult to ascertain, such as once the machine is remediated, who releases the computer from quarantine and who determines the machine is safe, he asked.

Sentonas also likened to the concept of not allowing an unsafe car to go on the roads so others are protected, which ESET's senior research fellow David Harley said works up to a point. However, he added that success would depend on individual implementations.

While enterprises have used [the concept] for years to protect their own networks, home users who are also the system administrators are often "ill-equipped" for such a role, Harley commented. But he admitted that such an approach could have a significant mitigating impact, subject to the diagnostic accuracy of the ISP, which very often could be a hit-and-miss situation.

RSA's corporate sales enginner Jeffrey Kok however, stands opposed on such an action. He concurred that while quarantining works in enterprise networks and is a standard operating procedures for most organizations, this is however, impractical to enforce on a national or global scale, simply because ISPs are not equipped or staffed for such implementation, and the newer Trojans or bots are being dynamically updated, shutting down domains is a desperate yet futile method. 

Kok argued: "Rather than chasing after the bot infections, which are effectively impossible to prevent, it is more efficient to just deprive the benefits that can be obtained from botnets."

Should the quarantine action be adopted, the question of where it should be done and what the standards and procedures should be can be tricky when conditions differ from country to country, and are dependant on the contract between the consumer and ISP, both experts said.

As Sentonas pointed out, the situation in an enterprise is less complicated than that of a home user, as "configuration of individual systems may be standardized and regulated centrally". To deal with home PCs, however, raises numerous possibilities and complexities with the different systems and applications.

Legally, Harley was concerned with loss of earnings due to quarantining a PC. "If the PC is infected, VoIP may be impacted. [The question then is whether] the total loss of VoIP access would put the user in a precarious position. Consider the situation where the user does use some software, paid or even free. What appeal process does he have?"

On the other hand, this "walled garden" approach may be a revenue stream for security providers supplying contracted services to other service providers, said Harley. That said, if it is being used as a marketing tool for the security provider, this might create illegal problems.

"Indeed, we're already seeing instances where fake support services circumvent legislation that regulates cold calling by 'solving' security problems on the victim's PC, but for a fee," explained the ESET research fellow.

"The walled garden approach can be said to be 'grooming' end users for this sort of abuse," he added, noting that banks could in the future require the use of approved security measures before allowing a customer to connect to its servers.