Spyware/Adware Prevention In Large Deployments?

foQ writes "I work in the IS department for a ~2000 networked computer environment across 10 locations. As with most people, we have experienced serious problems with spyware/adware. We have SpyBot and Ad-Aware installed on most computers, but this doesn't prevent the computers from getting these programs and only sometimes properly removes all of them. Is there a tool that we could push out to all the PCs to basically do what anti-virus programs do and block these programs from running and clean them from the computer?"

Webroot Spy Sweeper Enterprise and Lavasoft too

[erick99]

I took a look at enterprise antispyware software for a client and particularly liked Webroot's Spy Sweeper Enterprise product. It provides centralized management and automatic deployment though you can do it manually as well. Definition upgrades as well as version upgrades of the sofware is also automated. Take a look at this page from their website. Lavasoft also has an enterprise product that is pretty good though I think Webroot has a slight edge.

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[SilentChris]

You know, I still don't understand why large-scale deployments like this guy need ANY spyware checks. At my company, the first thing we did when we migrated to XP (from 98) was set every user's permission to limited. We haven't had a *single* noteworthy case of spyware, or viruses, because nothing can really get into the meat of the system (Windows\System32 directory, Program Files directory, etc). If anyone has a complaint, tough. They go through us if they want to install X program.

The only one that I've seen get through (and it's not really spyware) is changing a person's homepage. I'm not sure why IE even allows this. Fortunately, the main reason for switching someone's home page (slamming them with pop-up ads) is kind of diminished with SP2.

My feeling: the vast majority of administrators don't take advantage of the tools MS has provided. The one complaint I've heard ("We use programs that require special permissions, so we can't have staff run as limited users") is bollocks. Do what we do: take a few hours out during a deployment, contact the original software manufacturer (or figure it out in house) and set all the permissions correctly.

And it's not just unknown shops. I recently read an article where Kinko's reimages computers after guests pay to use them. This can take 5-10 minutes. What the hell? Just set a limited user and recreate that one folder. What are their administrators thinking?

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[trick-knee]

proper permissions usage and implementation is really the best way to lock down a machine when you can't rely on the user to keep from inadvertantly installing junk.

and doesn't the great grandparent (first) poster read like astroturf?

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[m_pll]

You could write a startup script on the machine to reset the home and search pages to a default you specify.

Better yet, use group policy. Go to User Configuration\Administrative Templates\Windows Components\Internet Explorer and enable these policies:

Disable changing homepage settings
Search: disable search customization

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

What? I've got a bunch of people synching palms in windows 2000. They are domain users and don't even have accts on the local system. try adding the user to the administrators group for the first sync and then removing them.

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[revividus]

Why is this moderated to zero? The anonymous coward is correct; if you add the user to the admin group, install the Palm Software, and then take user out of the admin group after the first sync, it will continue to work.

At least, this was my experience after many experiments.

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[coats]

AFAIK, Word 97-2003 have the same file format. Excepting some possible formatting issues, reading the documents shouldn't be a problem...

Can you say, clueless!?

There are incompatibilities between the paragraph and character styles and the numbering mechanisms among the versions of Word you talk about (97/2000/XP), and going back and forth among them is a sure way to almost-irremediable document corruption. As a corporate-law attorney, my wife runs into this problem all the time.

Word can't deal with it; the commercial product for cleaning up the mess runs $5000/seat and many law firms consider it well worth the price. (Or you can use the industrial-strength .doc-parser found in abiword or OpenOffice.org:-) .)

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[RMH101]

bollocks. if you need it, it's already there: this is why we have a standard desktop client that's rocksolid-stable. just because you're pissed off because you can't install webshots, don't assume that there's not a valid and sound reason to lock down clients.

you mean...

[maxdamage]

besides freezing them?

Easy solution

[IoN_PuLse]

Use FireFox instead of Internet Explorer. www.mozilla.org

Re:Easy solution

[Awptimus+Prime]

Use FireFox instead of Internet Explorer. www.mozilla.org

Though this is a quick way to get a "+5 Informative", it is not a valid solution to most Adware/Spyware/Malware exploits. The majority of this software is installed as part of another application. For instance, the notorious "Internet Optimizer" and "Gator". Running FireFox does nothing to stop an ignorant user from falling for a snappy ad and installing something bad on their workstation.

I'm not defending IE, I'm just pointing out how it does not apply in this particular case and Mozilla will, by no means, be the end all of web-related tragedies.

Re:Easy solution

[Em+Ellel]

I am running IE and FireFox (using both). Tonight I run AdAware to find spyware in FireFox and not in IE. The more people use Firefox the more Firefox spywhere there will be. Switching to Firefox does not solve the problem in thed long run.

Re:Easy solution

[Em+Ellel]

Why is a normal user allowed to install programs in the first place?

Because that computer thing is meant to be USEFUL

Re:Easy solution

[civilizedINTENSITY]

Our library moved to firefox with similar positive results. In regard to a mail server, our university uses squirrelmail, which is

a standards-based webmail package written in PHP4. It includes built-in pure PHP support for the IMAP and SMTP protocols, and all pages render in pure HTML 4.0 (with no JavaScript required) for maximum compatibility across browsers. It has very few requirements and is very easy to configure and install. SquirrelMail has all the functionality you would want from an email client, including strong MIME support, address books, and folder manipulation.

Re:Easy solution

You mean tracking cookies. Cookies allow you to be tracked by design, it's a "feature" of the Internet, not a bug. Of course, you can always change your cookie settings if you want to restrict sites' ability to do this (like only allowing same-domain cookies by default). This isn't spyware, though most spyware detection programs also detect commonly used tracking cookies - in some cases they even overzealously flag cookies for removal that are probably fine.

In any case, this has nothing to do with IE or Firefox, the number of cookies you've accumulated is directly proportional to the amount of time you spend using that browser and which sites you go to with it, assuming both browsers are set with the default cookie settings.

Firefox has had a couple attempts to write malicious XPI malware for it, equivalent to the reams of malicious ActiveX objects out there. Of course, you still had to agree to install it, unlike many of the ActiveX exploits over the years that have allowed spyware to self-install without your permission (no, this shouldn't happen if you have SP2 or the equivalent set of Windows Update security patches for IE6, but many people don't).

However, the Firefox devs have rapidly moved to squelch this, and with Firefox 1.0PR (or maybe even 0.9x), XPI installation is turned off by default for all but Mozilla's own domains now. You get a small message across the top of the browser window, and have to go through several clicks to activate XPI installation for a domain, THEN approve the installation of the XPI, so no unexpected XPI malware popups anymore (these were most notoriously on astalavista.box.sk, but probably other sites as well).

In short, for the time being at least, barring complete user stupidity which is entirely "cross-browser", Firefox is far more secure than IE, and there isn't even the possibility of accidentally approving a spyware/malware popup request anymore. If you still get spyware on your computer and use Firefox, it's almost certainly from an app you download. Incidentally, I just run Ad-Aware for the first time in probably 8 months on this PC, and it found absolutely nothing but a bunch of cookies - probably because I never use IE unless I'm going to a site that requires it and that I trust, and because I'm fairly saavy about where I download stuff from and what I run on my PC.

Don't let'em in.

[gustgr]

What about blocking or filtering the spywares and adwares at your proxy? If it don't get into the network, it will not affect your computers.

Re:Don't let'em in.

[gustgr]

You may try to filter/block with squid. Try this sites:

http://www.squid-cache.org/related-software.html

http://sites.inka.de/sites/bigred/devel/squid-filt er.html

There is a proxy called Privoxy with some advanced filtering capabilities.

Re:Don't let'em in.

[hsidhu]

has been before and will say it again a community based /etc/hosts file such as this one work for me. No need to communicate with people that peddle crap.

Just ignore the crap out there.

the newer AV's do

[Nate+Fox]

I usually dont reccomend upgrading antivirus programs to my clients, but the latest round of 2005 versions basically have adware in with their virus defs. Not sure about the corporate level stuff, but almost all the major consumer AVs do.

Re:the newer AV's do

McAfee Viruscan Enterprise 7.x and 8.0 have features that allow you to block potentially unwanted programs as well as joke programs. This and their E Policy Orchestrator is all I use for my Windows Workstations on my Network.

Simple Solution

[InfinityWpi]

Disable write permissions for all users. Roaming profiles, no browser cache whatsoever, no ability to write any file to the drive.

I never said it was a -good- solution...

Obvious solution

[glomph]

Stop dedicating your life to subsidising Microsoft's hegemony. Move people to a good, maintained Linux Distro. Yes, it is possible.

Re:Obvious solution

[gd23ka]

No it is not. There is no Microsoft Word for Linux, Open Office comes close and I love it to death but its just not ready yet. There is no god dammed Access...

There is. It's just that these apps still need to be licensed if you absolutely can't switch to OpenOffice or Sun's commercial StarOffice. Many distroes, such as SuSE Linux Desktop use Crossover Office and that will run Microsoft Office.

With Codeweaver's Crossover Office you get to run:

Microsoft Office XP, 2000 and 97

Microsoft Word

Microsoft Excel

Microsoft PowerPoint

Microsoft Outlook

Microsoft Internet Explorer

Microsoft Access

Microsoft Project

Adobe Photoshop

Microsoft Visio

Lotus Notes 5.0 and 6.5.1

Quicken

Various Web Browser Plugins

QuickTime

Shockwave Director

Windows Media Player 6.4 though it probably illustrates the power of the API emulation I can't see the value in MSIE and the windows media player.

I will however admit that Crossover Office / Wine will not run _every_ custom Visual Basic app on the planet... but if you don't have them then there is no technical reason you could not switch to Linux.

... [don't] forget user training, the cost of changing hardware that isn't supported to Linux etc. ... Yes, it is true. Your users will need to adjust to the new desktop, but most products I've seen such as SuSE Linux Desktop make Windows users feel right at home.

I'm not trolling, I like Linux I think it is great for the home and for a hobby but its just not ready for the mainstream. Perhaps in a few years, but not today. I'm not shilling for SuSE or Codeweavers but they do have great products fully capable of blowing Windows off the corporate (and home!) desktop. Btw, you can download a 30 day trial of Crossover Office here. While you're at it, see if it will run your custom VB app too ...

Some hints

* Don't let the users work with an admin account
* Use a proxy
* Use Firefox instead of IE

Re:Windows XP and Serice Pack 2

Oh yeah. Use that firewall that comes if XP.

I would also download ZoneAlarm too.

We use Symantec at work on the network. Seems to work great.

Also, all suspicious attachments are not let through (quarantined) because the users are too stupid -- they seem to open them mindlessly.

yeah

[UserChrisCanter4]

I'm not totally clear on what these machines are used for (custom web apps w/ heavy activeX use? Random surfing?), but assuming you haven't heavily focused on IE with custom software, Mozilla/Firefox plus a proper permissions system that denies access to IE and program installation should prevent 95% of the infections.

Top it off with a local DNS that nulls known ad sites and spyware supplies, and you should be good to go.

Sounds like the same problem we face

[willith]

Sounds like the same problem we face--4k client PCs in five locations--and we don't have too good of a solution.

We're currently taking a two-pronged approach. First, for the big baddies like Gator or Bonzi, we use Altiris Notification Server to find them and block their execution. This works tolerably well, but it's a reactive process--for me to block a spyware app, I have to know about it, and it has to be something of which I can deny exeuction (so, no browser helper objects).

Second prong is a managed install of Spybot S&D--we're enterprise licensed and maintain our own update server. We stick Spybot S&D in our base loads and force it to run on a schedule, automatically updating itself and running non-interactively. This catches lots, but can sometimes interfere with the users' work.

There is also an ongoing user education effort, consisting of mandatory training and constant reminders about how spyware works and how one gets infected, but that's about as hopeless as bailing the ocean with a kid's toy bucket. I'm long past the point of hoping that the general user population can learn about how not to get infected with spyware; I'm resigned to spending the rest of my days hearing about how someone in Marketing was hitting the gambling sites at lunch and picked up yet another malware app.

Win2K or XP Pro, and Limited User Accounts

[gfecyk]

Proven on two medium-sized networks I maintain for clients. No spyware in two years and I don't even bother with up-to-the-minute patches. Just patch for serious problems or when a service pack comes out.

Limited User accounts also provide the best AV on Windows, second only to MS Office SP3 and later which block bad e-mail attachments, bad macros, etc by default.

Finally, stand-alone NAT routers that act as firewalls keep worms out.

Worried that your software won't work as a limited user? Harass the vendor. Go to their competition. Loosen up security on individual files and folders (hence, suggesting XP Pro instead of XP Home). Test, test, and test some more. You'll save hundreds if not thousands on annual AV subscriptions and catch new threats before the AV vendors (and Spybot / Ad-Aware) can.

Heretical advice???

[vudufixit]

I did some spyware experiments of my own one day, to "ferret out" where some of this stuff came from. I did a clean install of XP on a machine, and carefully documented what I did, and the resulting changes in cookies, commit charge, etc. The results were interesting - I visited a lot of adult porn sites - literally just combining verbs and adjectives, and got very little in the way of spyware. I went to a particularly vicious site - default-homepage-network.com, and instantly got hit with a bunch of popups and three items immediately went into add/remove programs. Then I installed the "standard" kazaa - installing spyware programs was part of the initial installation!!! Commit charge went from about 100 megs right after a bootup, to 212 after installing Kazaa. Then, I wiped the machine out and installed XP and then SP2. The first things I tried - porn sites and default-homepage-network, didn't do anything - only Kazaa resulted in spyware, because installing it yourself is part of the package. When I clean out clients' PCs, I do the following: 1. Safe mode, command prompt - delete everything I recognize as a spyware .dll or .exe, and I rename anything I believe may be a system file. 2. Normal mode, uninstall any program with "rebates" "shopping" "bargain" etc... 3. Install and run Adaware, Spybot, Hijack This, CW Shredder, and Spyware Blaster. 4. Install SP2 if it's a recent machine - SP2 tends to crush PCs that have been running for a while. 5. Scold them for downloading music, and remind them that not only will they have to pay me if their internet habits cause reinfection, but the greedy RIAA bastards may even come knocking one day. I agree that most 2004 and up versions of Symantec and McAfee include anti-spyware protection, as well. Not too impressed with Webroot Spysweeper - it's a rather ponderous product. Firefox is a damn good idea, too. And of course, stay away from "Spyware Stormer"

Re:Symantec

NAV 9 handles both viruses and spyware...

DeepFreeze = best. prog. EVER.

[Sven+The+Space+Monke]

Oh my god, I'm surprised it took that long to mention DeepFreeze. I LOVE DEEP FREEZE. I only manage 70 comps at a lan center, but if you think office drones are demanding, try gamers. We used to have the comps locked down as tight as possible (well, as tight as you can get with XP pro and still have games/punkbuster be functional), and we still had to do regular weekly maintenance (AV, spyware removal, etc). With DeepFreeze, you can set up a 2 gig thaw partition that allows people to save any files they might need, they can still save files to a network drive, but the C: drive (or any other fixed drive you want) have a persistant image resident. They can save any files they want, make any changes they want, delete anything they want, but on next boot, everything on a frozen drive is back to the way it was before. They can't permanently install any progs, but honestly, when should a user be installing anything anyway? The best part is, I can go about a month between issues that can't be solved by a reboot.

Re:DeepFreeze = best. prog. EVER.

[drinkypoo]

Windows updates are easy: In the middle of the night, thaw the machine from the console (automated), run the updates (automated - you ARE using SMS right?) and then re-freeze it in the morning before they come in. The problem of users saving documents in the wrong location is still an issue but can be mitigated in many applications by the use of default document save paths.

A somewhat better way to handle the freeze/thaw thing is to run your updates weekly and cycle the machines on the weekend. If you're really worried about your users losing data you can search their machines (via administrative shares, in an automated fashion) for documents modified in the last week and shovel them into a separate folder on the permanently thawed drive.

Re:DeepFreeze = best. prog. EVER.

[hazem]

I'm going to try posting this and hope the lameness filters don't get me.

I hope this helps! If you find any mistakes, please feel free to contact me. If you find it really useful, I'd love to hear about it.

I'd release this under the GPL, but darn, it just doesn't seem like there's enough there to bother. I mean... can you really GPL some config scripts?

I found it helpful to configure the Linux stuff on one computer, then using a bootable Linux CD (I didn't want the local box slowed down by unnecessary services like networking), I put it on a server, called lin.tgz. I then booted on another machine with the bootable cd, and applied it to the /dev/hda2. If that was mounted to /lin, you'd then need to do a "chroot /lin" and then run /sbin/lilo to get lilo installed.

Good luck!

Linux Rebuilder
By Dale Frakes
Write-up version 0.1, 19 October 2004, 4:17AM

This set of tools helps automate the process of keeping a Windows box with a consistent image. It works similarly to "Deep Freeze" by storing an image of the Windows system and all its software on a Linux partition. The computer boots into Linux, which restores this image to the Windows partition (overwriting whatever the user did before). It then reboots into Windows.

** Installing/Setup **
The scripts as I have written them use tar/gzip to make the image of the Windows partition. This is because I was working on Win98 boxes that use FAT32 (which Linux can easily read and write). Linux does not yet reliably write NTFS, so to use this on an NTFS based Windows system, such as Windows 2000, or Windows XP, the scripts will need to be rewritten using dd/gzip rather than tar/gzip.

Here are the basic steps:
1) Install Windows on your computer. If you are using one drive, partition that drive in half (or, if you know how much space you'll need, just a little more than that). Install all your applications and customize the Windows "image" so that it is exactly the way you want it to be each time you reboot.
2) Install some Linux version on the other half. Keep it small, since you won't need networking, X, or much else.
3) Create a /rebuilder directory and place the following files in that directory: getimage, putimage, rebuilder, win_reboot
4) Modify /etc/rc.local to point to /rebuilder/rebuilder
5) Modify /etc/lilo.conf to match the menu options in my lilo.conf. Run lilo.
6) Create a /images directory to store the image.

For FAT32 systems using tar/gzip, you'll need to add an entry to your /etc/fstab to mount /dev/hda1 to /win.

** Useful Points **
There are two main keys to why this thing works pretty well. First, lilo can invoke the same kernel with different options. The menu options I place in lilo.conf do this. The other key is contained in the win_reboot file. By invoking lilo with the -R option followed by a boot label, (eg. "lilo -R Windows"), lilo will override its default boot option on the next reboot.

There are two other nice features that work nicely. The first one is that while the kernel is loading, the keyboard cannot interrupt the process. This is great for keeping someone from hijacking the system. The second is that by putting the line "password=""" in lilo.conf will password protect the boot options that do not have a "bypass" in them. This allows the user to do some things, like boot directly into Windows, or even rebuild the Windows partition, but not make a new image of the Windows partition.

If you're going to do a dd/gzip option, you'll want to wipe your Windows partition's empty space. From the documentation for g4u, there is a link to a program called nulfile, which will fill up the empty space with 0's. http://www.feyrer.de/g4u/

(If you like imaging, check out g4

The layered onion approach...

[urlgrey]

Assuming you have to run Windows, first remember there are multiple steps that you'll likely have to take with no silver bullet. Consider these 10 steps as a spring board:

The first step is to put in place policies (where possible) on domain controllers that prohibit both the installation of BHOs and of other software by anyone other than Administrators. Given that many, many bits of spyware (I'll go out on a limb and say most) work as (so called) "browser helper objects", don't let people install them at all. Other software Administrators can install when needed. It's actually fairly easy to do.

Second, where possible, deploy W2K or XP, and...

Then, third, where possible, yank people's admin privs. In virtually all cases, with a bit of good ol' trial-and-error, you can successfully adjust users' permissions to take away admin from most folks. Let's face it, most people SHOULD NOT have the ability to have admin on their own machines.

Fourth, where possible, dump IE.

Fifth, do some short SMALL GROUP tutorials about the evils of spyware and how it works. (I found this to be surprisingly useful for teaching users about passwords.)

Sixth, where possible, dump IE.

Seventh, consider netbooting the workstations and storing users files on fileservers. That way the OS you give 'em is the OS they get and it's always the same every day. (Tell them to think of it as life imitating art as in "50 First Dates", where they get a fresh start every day....)

Eighth, where possible, dump IE.

Ninth, go with something many of the folks here have/will recommend in terms of enterprise-based anti-spyware/anti-virus/anti-?????? software. I used Norton Corporate Edition in a fairly recent gig, and while that particular version didn't check for sypware, there are a number of solutions others are proposing that will. (The Corporate Edition is critical to your sanity--you can manage the AV software on *all* desktops via a central console.)

Last, and not least: dump IE.

------

Re:Windows XP and Serice Pack 2

[psyclo]

Sorry to shoot your idea out of the water, but I've had XP with SP2 for a while, and Ad-Aware comes up with plenty of hits, and I don't visit porn sites. I'm just running it now and it already recognized 6 new objects.

Ahh well, it was a nice theory while it lasted. :-)

It's called Active Directory

[Digital+Dharma]

Active Directory allows an Administrator complete and total control over his/her domains, up to and including limiting the ability of other administrators to install/remove software. On my last assignment we used a combination of AD, RIS and scripting to monitor the computer states of those with local administrative rights (think executives here who incessantly whine about not being able to control their computers) so that any unauthorized changes to the allowed states were undone every 5 minutes. When I started the assignment the Cisco routers were reporting over a Gb of spyware-related traffic every day. We reduced that to less than 1Mb per month. MS SMS pretty much does the same thing, but if you know anything about scripting and batching you can accomplish just about everything that overpriced product does.

Re: Consider removing IE completely

[Alwin+Henseler]

using tools like LitePC.

Many vulnerabilities in Windows aren't so much in Windows itself, but in IE (or Outlook, or ...). Some of those flaws can be avoided by not using IE, but some more may be avoided if you have IE not installed at all.

By default Windows doesn't allow IE to be uninstalled, and MS once claimed it would render Windows unusable. Tools found on above website prove otherwise. You can also use these to remove other unneeded Windows components.

Fully removing IE may have some drawbacks, but usuallly you can do fine without. If you have doubts, just try the preview version on a couple of boxes. There's a free utility for just removing IE from Windows 98 systems.

For best results, consider removing Windows as well...

Re: Those are after the fact solutions.

[anakin357]

You need to stop them before they are able to install one peice of code on the system.

1). You can do a few things, namely locking the computers down using the Microsoft Policy Editor (as I am sure you are aware of it's existance).

2). Make sure that no user has administrative access, and that downloading / installing programs is not allowed - if they need programs, that is what their roaming profile is for.

3). Also keeping a image available of every system so that you can restore to a known good working point

4). Invest in a decent SAN and keep the roaming profiles there, ALL documents should be kept on the SAN / roaming profile so that re-imaging the computers when they do get things on them does not cause valuable work to be lost.

Perhaps suggest hiring a freelance IT guy who knows how to do such things if you do not, there are plenty here who need the work.

If you can get to the control panel, display settings, look in the C: drive, change IE options, etc, you're doing things wrong, it's not locked down enough.

Yes it's a pain for the users, but it does alleviate the potential of corporate espionage (don't beleive it doesn't exist, it most certainly does) and also spyware/adware/etc screwing up your computers.

These are just the basics but it's worked fine for the company I work for, after some user adjustments it's actually not that bad. The only thing you loose is the storage on the clients, and possibly a big investment in a SAN ranging from 1TB on up, which can be moderately expensive.

Thin Clients

[fire-eyes]

If your users must have windows workstations, set them up with thin clients via PXES. Have them connect to MS terminal servers (2003 ent preferred).

Single point of control (at least per server). Save insane ammounts of money.

spywareblaster

[mpost4]

It selectivly breaks activeX to prevent spyware. I use it on my only windows box. Failling that, I have linux on 2 systems and Mac OS X on the other two. And on my work box which is dual boot I have spywareblaster on the windows part.

Privoxy

This is where Privoxy (http://www.privoxy.org/) comes in; they don't even see those snappy ads!

Re:re-imaging

[tomhudson]

Another thing you can do to make the whole restore process quicker is, before creating the original image, write a program to fill up the unused space on the source drive's file system with huge files containing just a bunch of 0x00s (nulls), then, when the file system is full, delete those files.

Now you're ready to do a dd if=/dev/source_partition of=my_image.img

When you zip the resultant img, it will compress much more because, instead of random data on the unused parts of the drive, it's just a bunch of nulls.

When you go to restore, it will also uncompress quicker because, again, the empty space is just a bunch of nulls, instead of random bits.

This means you could do a quick restore from a compressed image off a cd-rom, even with the cd-rom's lower data transfer rate.

www.pestpatrol.com

[sid+crimson]

Pest Patrol. There is a 30 day / 25-user trial available online. Pest Patrol They were recently purchased by Computer Associates, and this product will be rolled into their Secure Content Manager package in a year or so.

-sid

Deny write access to the registry. Whitelist BHOs

[Wiseleo]

My solution is simple.

No user can write to the registry in the common spyware places. All access to write to the ares of the registry that is commonly attacked by spyware is removed by GPO. That is - no unapproved shell extensions, no BHO add access, no new Explorer bars, no ability to modify the Winsock32 stack, no install priveleges. All apps are deployed through GPOs. There is a white list of approved ActiveX in general and BHO controls.

Spyware usually requires BHO access to tap into IE. Removing that access is good. White list enables the ability to provide desirable BHOs, such as Google and Yahoo bars, as well as internally developed apps.

Prevent malware with DNS and other tools

[Derge]

First off, you are going to have to start off clean. That means spending time at each workstation. There is no magic wand that will get rid of everything your machines have gotten. You got to use the tools that are available to start clean and then focus on prevention. Cleaning: Have someone set down at each workstation. Install and update ad-aware and spybot and start them running, clear temp internet files and cookies. Prevention: You are running a DNS server on your network, right? Put this list domains in your dns pointing to the loopback address: http://mvps.org/winhelp2002/hosts.txt Or, you can install the file on individual machines as a hosts file (as was intended by the authors of the list above) and "lock" the file with this http://www.mvps.org/winhelp2002/lockhost.bat Install Spybot and during installation, install the updates and use the "immunize" feature. Increase Internet Explorer security settings. Install Mozilla Firefox, make Qute theme the default. Right click on the Firefox icon on the desktop and quick launch bar and change the icon to the famous blue e icon. Change shortcut name from "Mozilla Firefox" to "Web Browser". Install the flash plugin and put the stupid "go" button on the tool bar. Make firefox the default browser when asked and also go into the windows control panel and make it the default again. (Windows Update when lauched from the start menu will still launch in IE.) Tell users not to download and install anything from the internet because it will break their computer. If you don't tell them, they won't know. Good luck!

Unfortunately it's not always possible

[Sycraft-fu]

Sometimes management is just clueless and will buckle to user's demands to allow them ot have admin access. Sometimes, they tun specialised programs that will not NOT run properly without admin. Espically in the case of engineering apps, there sometimes is no alternative, this is the only thing that does what it does.

I agree as a general princliple: Users should have the minimum amount of access they need to do their job. Unfortunately, that is sometimes full administrative access.

Ban their certificates?

[inhalent]

I manage an active directory domain and I've taken care of the major offenders through group policy.

First, I attempt to download the spyware much like any user would. When I get the prompt asking me to approve this installation, I view the certificate that it was signed with and save the certicate to the file.

Next, I add that certificate to the list of banned certicates domain wide. It works great and fixes the problem of people installing spyware without knowing it.

Well, I rather think it's simple.

[Tuxedo+Jack]

Install VNC over the network (or other comparable remote-control software; VNC is free and GPLed) and put HijackThis on a read-only network share.

If the user reports problems, VNC into the machine, run HijackThis as root, and remove what you need to.

Running as User or Power User will help, but it won't stop everything.

Try adding the MVP Hosts list to the firewall's shit-site blocker.

If you can, put SpywareBlaster into your image set for the machines you clone and force a once-a-year reclone with updates.

There's also the simple idea of not letting your users use IE. Force them to use Firefox, Opera - anything but IE.

Spyware Guard

[EvilGrin666]

SpywareGuard does exactly what you require. It scans software when you open it and stops it from mucking about with obvious spyware related registery keys.

Technical solution useless w/o policy 2 back it up

[Media_Scumbag]

Any time you have to deal with a technical issue that involves user interaction as a component of success, you will need to propose to management, a policy that bolsters the behavioral aspect of the solution; Users need to be made, by management, to have some degree of awareness and culpability for virus and spyware infections.

"Frequent-fires" users will be compelled to learn some digital hygine.

Most large and medium-sized businesses operating today have some sort of policy on sexual harassment/hostile workplace/conflict of interest/Internet and PC usage policy, etc. Generally, users understand that these policies are for eveyone's protection - With ~2000 PCs in the mix... This is definately where you should start... Policy Covers Your Ass.

On the technical side:

1. Router logs, intrusion detection, and sniffing as trending tools to show your boss what's up with traffic.

2. Good, solid desktop images/ app pushes/ GPO's - harden the Registry, Security Policy, individual apps as necessary. Beyond that - when a machine is sufficiently infected, it should be replaced with a re-imaged one --- it can be faster than cleaning, and is a hell of a lot more complete. This also reinforces the notion of users not storing important things locally.

3. Helpdesk tracking software - What users/machines/network segments are continually having the same problems? Does Human Resources need to be the next step for some people?

4. Desktop management software - provide your boss with stats on just what kind of crap is showing up.

5. If you must use/develop software that may enable or even contain spyware, you have a particularly tricky problem that concerns both company policy and IT best practices.

Of course, you know your boss, I don't... How you implement these suggestions is different for everyone. To some, it may seem draconian, to others, quite lax.... To some, budgets will not allow the necessary attention - for others, this kind of focus could perhaps justify a budget increase.

Oh... And consider the broswer's role in the business - what is an acceptable $$ loss for a preventable issue? Have you already spent that?

My $.02

Re:There are solutions

Actually, the notes web interface works fine with firefox (at least for email, I don't play with the calendar & such via web).

Qwik-Fix Pro protect against forced installs

[thorlarholm]

Qwik-Fix Pro from PivX Solutions (full disclosure: I created this) works to protect against forced installs of spyware.

http://pivx.com/qwikfix/

Qwik-Fix Pro is not a spyware killer but it is enterprise level and do protect against all of the browser based vulnerabilities (among others) that are being used to forcefully install spyware. It is a perfect combo together with a spyware killer such as The Cleaner from Moosoft (http://www.moosoft.com/) or Lavasoft Ad-Aware (http://www.lavasoftusa.com/).

The protection against IE vulnerabilities was implemented in September 2003 and has since protected against all command execution vulnerabilities discovered since then without a need for updates. These very improvements to IE were subsequently included by Microsoft in Windows XP Service Pack 2, though the implementation Microsoft choose failed to protect against several vulnerabilities discovered since then such as the Drag'n'Drop vulnerability which Qwik-Fix Pro protected against.

Re:LAN Admins don't make money??? Are U crazy?

[jridley]

That's not making money, that's "not losing money".

Exercise: Let's spin you off as a separate company. How long do you keep getting paychecks? What's your revenue stream? Don't have one? Then you're not MAKING money.

You are a SERVICE, and an EXPENSE. Certainly it's a necessary one, but if it weren't, you'd be on the street in a second.

Blacklists to kill programs

[Afroplex]

Aside from individually going to each machine and cleaning them, we try killing the spyware installers and executables. First we installed on a box as much spyware and peer-2-peer apps as we possibly could, and also browsed executable lists on antispyware/malware sites. Then we made a monster list of these executables.

If we were running an XP only shop (this won't work in Win2000 or 98) we would use Microsoft's software restriction policies in active directory. We don't, so this is out of the question.

Novell Zenworks (versions >=4) rogue process management sounds like it may work, but when we tested it doesn't kill apps that start up before the user logs in. So any spyware services aren't killed, even after the user logs in.

Next up was Progkill, an application on Sourceforge.net. Seems to work well on Win95/98/2000 boxes if it starts up. Has a few bugs when starting up. I wish I had a Delphi development box else I would debug it. Bonus points to it for its gui interface.

Finally was roguept (rogue process terminator) on Sourceforge.net. Does the same thing as Progkill, but not as easy to setup. Extremely small though and fast. It is written in C++ and runs as a service so it kills Spyware from the getgo. This speeds up system bootup time.