Protecting bench machines from infected customer HDD's?

[bytebuster]

I was at Frys today buying parts for what will be my bench machine, and I noted that Frys doesn't sell Linux. This machine was a secondhand stock customer PC that a customer had traded in to a local independent shop for credit towards a new box. The shop sold me a beefier PSU but left the hard drive as is, wiped and a fresh copy of XP installed. Since Getdataback only runs on Windows, I'd like to keep the stock OS instead of installing Linux. Is there any way to make sure that any infection on a customer's HDD doesn't copy itself onto the machine's HDD? I will have this machine disconnected from the internet, and I already know to watch for strange pop up boxes and such, but I'm worried about drive by transfers and such. What do you guys use?

 

[vdub12]

Image the drive on the bench machine.

If it gets infected you can easily image it back. I personally use DriveImageXML to do this.

 

[Crgky127]

I've never heard of drive by transfers, unless you mean autoplay (which you should have turned off). AFAIK an infection on a slaved drive can't hurt you unless you actually run the executable. You can even copy a malicious executable to your machine, and as long as you don't double click it or have the same registry entries as the infected machine to run it on boot, it can't hurt you. Now if a customers machine is booted on the same network as your benchmachine at the same time then you need VLANs or firewall/HIPS or linux to stop worms (which don't seem to be as common nowadays).

 

[iisjman07]

You could always run something like Returnil Virtual System or Deep Freeze, so that everything is restored upon reboot

 

[Ccomp5950]

It's exactly as Crgky127 explained it.

Your shop network should already be split. You can use VLAN's to do this with a decent router (DD-WRT or a decent SOHO) or if you absolutely must you can double NAT by putting a second home router on you network that is connected to the Customer Network (not recommended but it would do the job as well)

Business Machine Network (Front Desk, etc.)

Customer Network (Your Bench System and everything else)

 

[JosephLeo]

Maybe you can run the entire PC in a "sandbox" type of operation if you're worried about cross-contamination.

 

[shamrin]

I've never heard of drive by transfers, unless you mean autoplay (which you should have turned off). AFAIK an infection on a slaved drive can't hurt you unless you actually run the executable.

I think that the TDSS MBR virus can jump from drive to drive if you mount an infected one. I haven't taken the time to fully test this, but I have been noticing that TDSSKiller is seeing an MBR virus on my Drive 0 shortly after clearing infections in a "guest" drive. There might be other reasons for this behaviour but this so far is my interpretation.