It is absolutely possible for malware to spread through your LAN to your computer.
In fact, I’ve heard horror stories of malware that makes it past one person’s defenses to infect a single machine … and from that machine, move on to infect an entire small business’s network.
In situations like yours, a two-router solution can be a fine approach to protecting your computers. But yes, it can be a little complex to set up, and there are side effects. Fortunately, there are simpler ways to avoid spreading malware.
Become a Patron of Ask Leo! and go ad-free!
Some malware travels by network
While most malware these days has to be “invited” in – by downloading and running an infected file, or opening an infected attachment – another, perhaps even older class of malware is still present: the network-based threat.
Network-based malware simply uses your machine’s network connection to probe for other machines on the network, and then attempts to exploit any network-based vulnerabilities on that machine. If successful, the malware can spread from machine to machine simply by using the network connection.
For the most part, these types of malware aren’t as prevalent as they once were. But if you connect directly to the internet without any kind of protection, you can actually see that there are infected machines continually reaching out and probing for other vulnerable machines. These machines – often older, unattended machines that have never been updated or properly secured – are responsible for generating what some refer to as “internet background noise” as they keep plugging away, looking for other vulnerable machines.
Fortunately, protection is simple.
Your router protects you from the world
As I said, the internet is full of infected machines trying to reach any vulnerable machines they can.
Fortunately, your router acts as a firewall to stop them cold. Machines on the internet cannot initiate a connection to a machine on your side of your router; connections can only be made by your computer, outbound.
And that makes all the difference. You only connect to machines you, or the software on your machine, chooses to connect to. By maintaining good behavior, you know not to connect to machines, servers, or sites that want to infect you with malware.
But what happens when someone slips up? What happens when malware is invited in?
Windows firewall protects you from local machines
It used to be the case that Windows Firewall was something most folks, myself included, recommended you turn off, as long as you were using some other firewall, like your router.
That’s no longer the case, for two reasons.
First, that advice was based on its impact on your system performance. That’s no longer an issue, and Windows Firewall can be left on with negligible effect in almost all cases.
Second, by leaving it on, you’re protected from exactly what brought us here: malware that makes it onto another machine on your local network. Even if an infected machine is sitting right next to yours on the same local network with nothing in between, Windows Firewall is there, rejecting those unsolicited requests.
Your LAN and other machines
Windows Firewall will also protect your machine from other computers that share the “safe side” of your router, like your mother’s. If her computer becomes infected with network-based malware, then your use of the firewall will stop it from reaching your machine.
In fact, that is true if you have any machines on your network that you might not trust, like computers used by children or guests.
In your case, I would recommend that turning on Windows Firewall if it’s not already active on your machine. In fact, on most modern machines I advise turning it on in any case; it doesn’t hurt, and it’s an additional layer of protection.
While Windows Firewall is probably the easiest solution to implement, there are other approaches that can be used as well, either instead of, or in conjunction with it.
Multiple routers. I actually lay out an approach to doing this in How do I protect myself from my children? By using a second router, you can set up a separate local sub-network isolating some of your machines. With a little help from your ISP (in the form of a second IP address), you might even be able to set up completely separate network.
Guest-access routers. Many WiFi routers now include two network connections: the primary connection to your local network, and a second one for the use of your guests. The two are then completely isolated from one another, sharing only that internet connection. The “guest” network doesn’t have to be for guests – it could be how your children, mother, or other less risk-conscious individuals connect, without putting your computers at risk.
I’d be remiss if I didn’t remind you that none of this replaces good internet safety habits. Specifically:
- Keep your anti-malware tools running and up-to-date. Network-based threats are only one type of malware. The networking solutions discussed here will not protect you from other forms of malware, such as malicious downloads or attachments.
- Be careful sharing files. If you transfer files from one machine to another, you’re bypassing any network protection you have in place. Copying an infected file from your mother’s computer to a USB stick, and then copying that file to your own machine, is a fine way to compromise your own machine without realizing it.
If you found this article helpful, I'm sure you'll also love Confident Computing! My weekly email newsletter is full of articles that help you solve problems, stay safe, and give you more confidence with technology. Subscribe now and I'll see you there soon,