Spyware/Adware Prevention In Large Deployments?

foQ writes "I work in the IS department for a ~2000 networked computer environment across 10 locations. As with most people, we have experienced serious problems with spyware/adware. We have SpyBot and Ad-Aware installed on most computers, but this doesn't prevent the computers from getting these programs and only sometimes properly removes all of them. Is there a tool that we could push out to all the PCs to basically do what anti-virus programs do and block these programs from running and clean them from the computer?"

Webroot Spy Sweeper Enterprise and Lavasoft too

[erick99]

I took a look at enterprise antispyware software for a client and particularly liked Webroot's Spy Sweeper Enterprise product. It provides centralized management and automatic deployment though you can do it manually as well. Definition upgrades as well as version upgrades of the sofware is also automated. Take a look at this page from their website. Lavasoft also has an enterprise product that is pretty good though I think Webroot has a slight edge.

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[SilentChris]

You know, I still don't understand why large-scale deployments like this guy need ANY spyware checks. At my company, the first thing we did when we migrated to XP (from 98) was set every user's permission to limited. We haven't had a *single* noteworthy case of spyware, or viruses, because nothing can really get into the meat of the system (Windows\System32 directory, Program Files directory, etc). If anyone has a complaint, tough. They go through us if they want to install X program.

The only one that I've seen get through (and it's not really spyware) is changing a person's homepage. I'm not sure why IE even allows this. Fortunately, the main reason for switching someone's home page (slamming them with pop-up ads) is kind of diminished with SP2.

My feeling: the vast majority of administrators don't take advantage of the tools MS has provided. The one complaint I've heard ("We use programs that require special permissions, so we can't have staff run as limited users") is bollocks. Do what we do: take a few hours out during a deployment, contact the original software manufacturer (or figure it out in house) and set all the permissions correctly.

And it's not just unknown shops. I recently read an article where Kinko's reimages computers after guests pay to use them. This can take 5-10 minutes. What the hell? Just set a limited user and recreate that one folder. What are their administrators thinking?

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[trick-knee]

proper permissions usage and implementation is really the best way to lock down a machine when you can't rely on the user to keep from inadvertantly installing junk.

and doesn't the great grandparent (first) poster read like astroturf?

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

What? I've got a bunch of people synching palms in windows 2000. They are domain users and don't even have accts on the local system. try adding the user to the administrators group for the first sync and then removing them.

you mean...

[maxdamage]

besides freezing them?

Re:Easy solution

[Em+Ellel]

Why is a normal user allowed to install programs in the first place?

Because that computer thing is meant to be USEFUL

DeepFreeze = best. prog. EVER.

[Sven+The+Space+Monke]

Oh my god, I'm surprised it took that long to mention DeepFreeze. I LOVE DEEP FREEZE. I only manage 70 comps at a lan center, but if you think office drones are demanding, try gamers. We used to have the comps locked down as tight as possible (well, as tight as you can get with XP pro and still have games/punkbuster be functional), and we still had to do regular weekly maintenance (AV, spyware removal, etc). With DeepFreeze, you can set up a 2 gig thaw partition that allows people to save any files they might need, they can still save files to a network drive, but the C: drive (or any other fixed drive you want) have a persistant image resident. They can save any files they want, make any changes they want, delete anything they want, but on next boot, everything on a frozen drive is back to the way it was before. They can't permanently install any progs, but honestly, when should a user be installing anything anyway? The best part is, I can go about a month between issues that can't be solved by a reboot.

The layered onion approach...

[urlgrey]

Assuming you have to run Windows, first remember there are multiple steps that you'll likely have to take with no silver bullet. Consider these 10 steps as a spring board:

The first step is to put in place policies (where possible) on domain controllers that prohibit both the installation of BHOs and of other software by anyone other than Administrators. Given that many, many bits of spyware (I'll go out on a limb and say most) work as (so called) "browser helper objects", don't let people install them at all. Other software Administrators can install when needed. It's actually fairly easy to do.

Second, where possible, deploy W2K or XP, and...

Then, third, where possible, yank people's admin privs. In virtually all cases, with a bit of good ol' trial-and-error, you can successfully adjust users' permissions to take away admin from most folks. Let's face it, most people SHOULD NOT have the ability to have admin on their own machines.

Fourth, where possible, dump IE.

Fifth, do some short SMALL GROUP tutorials about the evils of spyware and how it works. (I found this to be surprisingly useful for teaching users about passwords.)

Sixth, where possible, dump IE.

Seventh, consider netbooting the workstations and storing users files on fileservers. That way the OS you give 'em is the OS they get and it's always the same every day. (Tell them to think of it as life imitating art as in "50 First Dates", where they get a fresh start every day....)

Eighth, where possible, dump IE.

Ninth, go with something many of the folks here have/will recommend in terms of enterprise-based anti-spyware/anti-virus/anti-?????? software. I used Norton Corporate Edition in a fairly recent gig, and while that particular version didn't check for sypware, there are a number of solutions others are proposing that will. (The Corporate Edition is critical to your sanity--you can manage the AV software on *all* desktops via a central console.)

Last, and not least: dump IE.

------

Deny write access to the registry. Whitelist BHOs

[Wiseleo]

My solution is simple.

No user can write to the registry in the common spyware places. All access to write to the ares of the registry that is commonly attacked by spyware is removed by GPO. That is - no unapproved shell extensions, no BHO add access, no new Explorer bars, no ability to modify the Winsock32 stack, no install priveleges. All apps are deployed through GPOs. There is a white list of approved ActiveX in general and BHO controls.

Spyware usually requires BHO access to tap into IE. Removing that access is good. White list enables the ability to provide desirable BHOs, such as Google and Yahoo bars, as well as internally developed apps.

Ban their certificates?

[inhalent]

I manage an active directory domain and I've taken care of the major offenders through group policy.

First, I attempt to download the spyware much like any user would. When I get the prompt asking me to approve this installation, I view the certificate that it was signed with and save the certicate to the file.

Next, I add that certificate to the list of banned certicates domain wide. It works great and fixes the problem of people installing spyware without knowing it.