Since staying in Cambodia every time I've encountered another computer on which I've had to use my external hard drive on (usually an XP system of some kind), I've found I always ended up with a virus on it without fail. Its also the case that every time I've used someone else's USB stick or SD card on my computer I always found viruses on them too. This is no exaggeration. I keep telling my wife to be careful where she uses her USB stick but every time I've checked it, it always has viruses on them every couple of months or so. 

The problem…

Many systems in Cambodia (including nearly all internet cafes I've used out here) are either running none legit copies of XP 32 that can't actually receive security updates which also includes the very efficient security essentials or they're running a modified version of XP 32 that does allow for security updates but most probably contains included security flaws via the modifications that can't actually be plugged up even with the security updates.  Many of these system will be using free anti virus software like AVG (which will work on the systems that can't receive free security updates including security essentials anti-virus app itself) but it seems that AVG is evidently unable to detect many of these viruses. 

Root kits virus

I don't know why I'm thinking gardens but here's a gardening analogy. I hate gardening, but from time to time it had to be done and the common garden variety weed just annoyed the shite out of me in how stubbornly persistent they were in being a blighting factor to get in the way of achieving a beautifully unblemished, lush, even green lawn. You can cut the head off a garden weed but its not long before it grows back whilst its roots grow deeper and thicker, even if you remove it from the roots up it only takes a few tiny fragment of its roots to be left behind in the dirt for a new weeds to quickly grow in its approximate area.

Now these viruses might not actually screw up the system in any obvious way but they will allow for additional discrete access too all these systems. There'll also be many ports that are open that these viruses are using that I'm certain many systems administrators within the many-MANY internet café's across Cambodia aren't even aware of. But by simply closing these ports they will notice a significant increase in speed on all their systems whilst noticing reduced phantom like internet traffic. Depending on how many machines are infected within a network and how sever the issue is on their network they might even notice a drop in the amount of data being used.  The problem is some of these viruses are very nasty, because even if you remove all the registry entries for them and deleted the virus and the affected applications there will be hidden files that will re-install the virus and try to make it appear like the virus isn't on the system any longer. Even worse if they re-install and you manage to disrupt them by closing the ports on the viruses some will then proceed  to corrupt the OS and quite often also cause irreparable physical damage the actual hard drive itself. 

Also the included software firewall for XP is just awful and barely stops anything compared to a Vista or Windows 7 firewall. I'd also be dubious of free (and even some premium) software based third party firewalls too, do you really think that they would exclude access to your system for themselves? Especially if it was a free firewall no matter how good it is. It's very easy for these firewalls to create enough of a significant performance increase to cause your whole system to seriously speed up just by simply closing ports. After which they will allow themselves access to your system without you noticing having created enough of a system performance increase to cover it up and while all while you just think it did an excellent job for you. But what do you expect considering its free and it did in essence improve system performance for you. You might also notice that if you try to remove these very good free firewalls they leave registry and DLL files that can't be directly removed whilst you're actually using the actual OS. 

The false sense of security many get just by using the firewall on a consumer grade router

Many of these viruses will also be able to negate the hardware based firewalls in general consumer class routers. In fact there are many applications and viruses that simply use ports that are still readily available to use that the router doesn't even close, in which case it wouldn't even need a special exploit to be taken advantage of with the appropriate applications or virus installed. However I will say some consumer grade firewalls are much better then others for accounting for this potential factor.

Don't under estimate Security Essentials

Security essential is by far one of the best anti virus programs out there. It detects all the viruses that other free alternatives miss as well as those that some premium anti-virus software miss too. Some people would be suspicious of an anti-virus program created by Microsoft but if you think about it what could they put in it that they couldn't already include in the OS itself and what would they have to gain from an infected Windows OS? Meaning despite the fact its free they have an even greater vested interest in insuring that their OS doesn't get infected. 

Other issues that I reckon further compound the problem in a place like this

Many general computer users and semi skilled network administrators familiar with MS OS outside of corporate IT infrastructure just won't have the expertise or knowledge to know which ports to close and what they can do to close them without it affecting the applications that they like to regularly use, as a consequence even when they do try closing the ports to find it stops some of the applications and  programs they use from working correctly they just open them again anyway. I'm also inclined to believe that various none corporate and reputable organizations will also suffer this problem too.

Depending on how prevalent the problem is as a collective national thing, plugging up many of these things could even increase overall internet performance for the general area. 

Maybe you can't afford a hardware based firewall (although there are some very good second hand ones that are quite cheap these days that will more then adequately do the job), maybe you can't afford an independent systems analyzer that could reconfigure and optimize your current setup and make recommendations for an upgrade path within some kind of budget however tight that might be, maybe you can't afford to get legit copies of Windows on each of your terminals just to be able to get the resource sipping light weight real time anti-virus program that is security essentials on each of your terminals.

My recommendation (unorthodox but will most likely significantly simplify maintenance where IT expertise aren't regularly on hand to perform a deep troubleshoot of your systems)  

It might seem elaborate but I reckon its the best solution to simplify the process of maintenance for many of these places. It could be as simple as re-installing the host OS fresh on all terminals and have as few applications installed as possible on the host OS to leave only pass through network access functionality for any potential VM. Then optimize it  purely for the running of a virtualisation shell and virtual machines. Generally the VM app/shell will do the rest as far as hardware interfacing is concerned as well as allow you to tweak any specifics that it might require for certain host OS to VM OS hardware settings. Then create one master windows XP/vista/7 VM that you can install onto each of the terminals. Doing this ensures that the host OS will remain untouched by any potential viruses, it would also mean that you could simply just delete the VM if it becomes corrupt, slow, seriously infected  or just generally exhibits anomalous performance fluctuations that you don't want and can't actually figure out.  I'd personally try to completely trouble shoot and optimize the VM first like a regular host OS first but that’s just me.

After you delete it you could re-install one of any number of ready made windows XP/vista/7 VM's that you've created beforehand just by simply copying it over to the host machine/terminal that you deleted the previous screwed up/infected VM from. 

Free virtualisation software that you can download and use for free

Get Virtual box, as you'll only be running one VM at a time on these terminals. it’s a high quality VM app/shell that will allow you to create and run a Windows or Linux based VM on a host Windows or Linux based machine. Oracle who are well known for providing high end custom corporate IT infrastructure solutions to industry actually bought Virtual Box some time back and now maintain it to this very day.  Install Virtual Box to each of your freshly re-installed XP based host machines/terminals. 

Alternately you could also... 

Get VMware's VMware player which is also a completely free VM app/shell to download and use. It doesn't allow for system memory partitioning and allocation for dedicated VM usage purposes like VMware workstation but as mentioned before if you're only using one VM per host terminal dedicated partitioned system memory is not really going to be something that’s required.

!Note!: It will be a case of using one or the other. VM's created using Virtualbox will not work in VMware player and VM's created using VMware player will not work in Virtual Box.

The quickest way if you're using XP or Linux as a VM on each of your terminals/host machines

After you create your VM just install all the basic applications to the VM that you will require for each of your terminals. Then simply just copy the VM that you've created to each of your terminals. Then its just a case of optimizing the VM for the specific hardware dynamic of the particular terminals that the VM's have been installed to for the best possible performance on it. This is easily done via the easy to follow VM app/shell menu options.

It might seem obvious to some, but evidently its not for many others

Test any new application in a separate VM first. During the testing period you can see if there is any major impact on system/VM performance. If you think its within an acceptable threshold and you trust it, install it to all the other VM's running on your terminals .

The point to this?

I don't think many of the small internet cafes here realise that they can actually realistically harness virtualisation to increase security, and productivity whilst simplifying the maintenance process in believing it to be a complicated and an inaccessible method for improving their systems. The more secure systems out there are the better it is for everyone not to mention it could significantly decrease unnecessary network load on ISP's for their performance to temporarily improve, or at the very least until they reach optimum peak load with new customers within the threshold of their current infrastructure resources before any potential upgrades to increase handling capacity might occur.  

 But for those who find this amusing. Did you actually use virtualisation in any major way for improving your own systems before we unfortunately or fortunately (depending on your standpoint) crossed paths? Depending on who you are I think you know what my standpoint on that is and I'm sure you know why.

If you have 64-bit bit based processors in your terminals/machines

You might also want to consider using XP64 instead of XP32 to also help reduce risks of system virus infection. Most viruses that are capable of attacking XP systems are design to work on a 32bit kernel, meaning that if you use a 64-bit OS its going to be immune to a large portion of viruses by default. XP64 is also significantly lighter then post Vista variants of the Windows OS. 

Ready made and custom debugged variants for even more reliability and security

It's possible to debug XP64 to be even lighter then the default XP64 install. Depending on how its done it could also be made to be more impenetrable and more immune to viruses then Windows 7 whilst still remaining much lighter then a default XP64 install. However in doing this there is the obvious disadvantage of many common everyday applications not actually working on it in their default state which is why such a method is often usually only used for specific custom thin embedded applications where a very broad scope of general application compatibility is not required. But generally I can't see why this couldn't be adapted for more secure VM purposes if specifically  debugged for a core of applications that will be used across all systems within a particular network.

The beauty of VM's

A single VM or particular virtual appliances no matter what it is and what the requirements can be created and deployed across many systems. Meaning it wouldn't necessarily require a small hand of individuals to maintain or help to maintain many systems in any overly stretched way. VM's can be created and tested within any number of simulated limiting hardware constraints even before actual deployment in any particular intended deployed scenario.