I have been using this strategy for years and I am now finally ready to recommend this approach to security-conscious Windows users who have grown tired of dealing with a myriad of malware issues. Virtualization and Linux distros have finally reached the point that with a bit of reading and/or YouTube, creating a virtual machine (VM) isn’t that difficult. Modern x86 hardware should easily be able to handle the load to make it a pleasurable experience. I consider a Linux VM a viable tool for malware mitigation on a Windows host; an effective supplement to traditional signature-based detection mechanisms that are becoming increasingly ineffective in combating zero-day threats. Still the majority of malware in the wild is designed to target the Windows OS. Using a VM as an additional layer of protection is an effective strategy against botnets, ransomware and other trojan’s that are increasing in sophistication and have caused massive headaches for Windows users in recent years. They are not going away anytime soon. The theft of personal information and extortion are important enough reasons for many to consider using Linux VMs, even with the inconvenience of having to manage a guest VM in order to do web-based activities. In doing so, you will drastically limit the scope of malware finding its way on to your Windows host machine through a range of well-crafted attack techniques.
Keep in mind there is no silver bullet to online security. Linux is certainly not immune to web-based threats, but is generally considered well protected by design against malware. There is no need to dig into the wallet. Virtualization software and Linux are available for free, so why not try it out? There will be a learning curve if these concepts are new, but think of it as a project and take a weekend to play around with it. You may come away with a further interest in Linux, all while increasing your security posture and awareness. Here are my recommendations based on getting up and running with ease of use in mind.
VirtualBox – various network configurations (NAT, bridged, host-only), cloning and snapshot support.
MINT – has everything you would expect in a desktop OS with features that are Windows user friendly: Cinnamon Desktop Environment, VLC media player, Gufw – gui to manage firewall, ClamAV – if sharing files with Windows host, Browsers – Firefox (default) / Chromium – protect your browser of choice with security add-ons and extensions as discussed in “Security and the Browser“. Only install software from the official repositories.
Don’t forget to secure the Windows host operating system as much as possible. You may still want to reach out to the internet for Windows Updates, or if VirtualBox does not support your hardware (e.g. webcam). Tips: Host-based firewall – create restrictive rules for outbound traffic, Application Whitelisting using Software Restriction Policies (SRP) or AppLocker (only available in Windows Ultimate/Enterprise & Server editions). There are many guides and strategies available online. Here is an example of how SRP was used to block the infamous Cryptolocker ransomware. Continue using an antivirus/anti-malware solution on your Windows host – Avast provides a decent free package.
Additional Tips: VBox and MINT have awesome community forums where you can find your answer to just about anything. If you post a question, chances are it will be answered in the matter of hours if not sooner. Configure SSH on MINT and use WinSCP to securely transfer files between the host and VM.