I've recently been covering some of the IT stuff at work whilst the normal guy is on holiday, the usual crap - "my printer isn't working" "why have my icons moved" etc. But, this week I've had to sort two computers with viruses that have embedded some javascript into sites, one showing ads, the other just slowing things down massively with nothing visible on screen, just in source, wouldn't be surprised if it was passing data elsewhere, forgot to copy the exact JS line.

Our main system is browser based and we use Firefox.

Is it possible to build firefox as a dedicated portable program that is only used to browse a single site?

Would this be resistant to most virus attempts on browsers?

Or any other ideas the secure the browser based system in some way?

I assume Windows? If it were Linux you could sandbox it, chroot it, containerise it etc...

If you can't do that then at the least I'd install noscript, µblock and https everywhere, whitelisting necessary sites as needed.

 

Oh and no Flash/Java, obviously.

Yep, Windows.

noscript looks handy for sure.

Only problem is that people also use Firefox for general browsing at times, I know I do.

Maybe a portable version of Firefox that is centrally served with address bars, menus etc disabled but with various addons to protect installed.

Noscript is a good start but most malware gets in through ads so an adblocker (and ublock origin is the best) is a must.

There's also Privacy Badger, also by the EFF, which is a more complete solution but will require more fiddling.

And yeah, definitely-without-a-doubt no Flash.

None of that should hamper normal browsing.

You want them to only access the company site? Can you get the site on a non-standard port and block 80 at the firewall?

Not exactly, I have no issue with browsing.

What I want to do is essentially wrap the company site in its own program to try and make it more secure.

(this will probably never happen, but because I've seen two separate users have issues where something has been injected into our main system I think it is worth suggesting if there is a solution).

If that's what you want to do you could maybe use something like Electron and just build an app that does nothing but point to that one website. Electron is essentially webkit as a platform for building desktop apps on and I'd imagine that getting it to point to a single website would be the simplest app you could make.

 

OK, you lost me. We've had issues with javascripts 'injected' on to clients' web pages, but that has to do with the server security (lack thereof), not the browser (though if you prevented them from running javascripts, then they wouldn't actually be able to do SFA so um... nevermind).

Typical attack progression: malwares pay load dropper roots your box then deploys initial payload which is ad injection, or click fraud agents , after a day or so the machine gets sold on and the data exfiltraton is turned on and your data starts moving out the building, once that's complete or they get bored you end up with the nastiest of all the ramsomeware package, you've probably already done a full deep scan, I'd recommend a second with an alternate AV as the payload dropper looks to see which AV your running and drops malware that isn't detected.
HTH