Yours is a variation on a very common idea that’s been cropping up lately.
Unfortunately, there are a couple of problems with it.
Become a Patron of Ask Leo! and go ad-free!
On a network but not the internet is difficult
First, I’m just not aware of an easy way to make this happen.
I believe the normal solution would take a more complex router than most people have. It really is a routing issue, I believe, since it’s the router that would need to block your XP machine’s attempts to connect out to the internet. Perhaps there’s a hack out there that I’m unaware of, but it would seem that any such attempt would be complex at the least, risky, and perhaps even fragile.
And it wouldn’t really get you the security that you think it might. It’s like an old adage you may have heard in high school health class. When you kiss someone, it’s like you’re kissing everyone they have ever kissed (at least I think it was kissing). Anyway, the point that your teacher was making was that human bacteria and viruses spread through contact. The same is true for computers; and that’s one reason we call viruses viruses. They replicate and propagate through contact.
Now, eliminating internet connectivity from your XP box does make direct contact to the internet go away. However, it leaves that machine connected to your local network, which means it leaves that indirect contact in place. So, yes, your XP box could still be vulnerable to things that come in through other systems on your network. It’s a much smaller possibility, but it is a possibility that most definitely remains.
Networking is not the only way your XP machine could become infected. Transferring data back and forth via USB sticks is another possible vector. But being connected to your local network is definitely something that makes the machine more vulnerable than you’d really want it to be.
Disconnecting from important updates
And of course, removing internet connectivity from the XP box means any anti-malware tools on the Windows XP machine will not be able to keep themselves up to date: they won’t be able to update their database of malware definitions.
Microsoft Security Essentials (for XP) will continue to be updated for at least another year, and other anti-malware tools perhaps even longer than that. Given the risk of secondhand infection anyway, you still want that anti-malware tool updated.
So, in a case like this, my recommendation is: keep your XP machine connected to the internet; turn on the firewall, make sure your anti-malware tools are updating themselves regularly, and then use that machine for as little as possible. This is, perhaps, the single biggest thing you can do to reduce the exposure.
9 comments on “Will Preventing XP from Reaching the Internet Keep Me Safe?”
Hi Leo. I have a couple of XP machines. One runs with the XP Home Edition and it appears Microsoft Security Essentials will continue to be updated. However the other runs with XP Professional, and on that machine MS Essentials is flagged as “At Risk”. There is a product available called “Malwarebytes” which claims to match Security Essentials protection. Do you have an opinion on how well it should serve?
If you open MSE, it will tell you why it is at risk. Often it’s just because it hasn’t ran a scan recently. You can go into the settings and change when it scans.
If it’s at risk because it doesn’t pick up the updates, you should try to figure that out. Can the machine connect to the internet?
Leo recommends Malwarebytes in addition to an antivirus program. Malwarebytes isn’t a complete AV solution, but it is great at finding and cleaning a lot of malware which other AVs can’t.
At the office, there are a couple of old applications which are used rarely — and don’t run on Windows 7 or 8. The output is a printout, which can be a PDF — and that can be taken by flash drive to a modern computer for actual printing. I’m planning to have a couple of computers operating completely standalone, then have users take the PDFs to modern computers. (Windows 8.1 Pro with Classic Shell)
Flash drive picks up malware and transfers it to the XP machine when you go to copy the PDFs. Still a risk.
There is a straight-forward way of turning the Internet “on” or “off” while retaining internal network connectivity. The technique is a little more complex than the average tips given here, but I’ve used it for a couple of customers that wanted a specific PC to NOT be able to access the Internet, but COULD access other PCs on the network.
First, determine your router’s IP address: in a command prompt, issue “ipconfig”. Your router’s IP address is listed for “Default Gateway”. For the following, let’s assume it’s “192.168.1.1” (it will usually end in 1 or 254.
To turn the Internet “off”, in a command prompt, issue the command:
ROUTE DELETE 0.0.0.0 MASK 0.0.0.0
To turn the Internet back “on” again, in a command prompt, issue the command:
ROUTE ADD 0.0.0.0 MASK 0.0.0.0 192.168.1.1
(if your router’s IP address is other than 192.168.1.1, use that address)
Gary, can you explain a little more on the ROUTE ADD method to prevent Internet whilst allowing LAN access? Looks good and just what I need for a few key legacy boxes running machinery. Will file sharing to these still work? (Ie being able to dump files to these xp boxes from the other newer pcs that currently dump files to them).
1) There is no easy way to keep XP off the Internet, and still connected to the LAN, so the alternative is moot.
2) Very few anti-virus and anti-malware programs still support XP, and we can expect even those few to end support soon.
3) Similarly, other software updates are ending XP support.
4) So the entire article is useless
Fascinating summary of a so-called useless article.