Slashdot Mirror
Spyware/Adware Prevention In Large Deployments?
foQ writes "I work in the IS department for a ~2000 networked computer environment across 10 locations. As with most people, we have experienced serious problems with spyware/adware. We have SpyBot and Ad-Aware installed on most computers, but this doesn't prevent the computers from getting these programs and only sometimes properly removes all of them. Is there a tool that we could push out to all the PCs to basically do what anti-virus programs do and block these programs from running and clean them from the computer?"
We use Symantec Antivirus and Desktop Firewall - seem to do the trick...
The friendliest digital photography forums on the net!
1) Network level security. Most spyware can be blocked with a firewall.
2) Firefox and thunderbird, most spyware needs IE or outlook to sneak in.
3) Default IE security settings maximized. Despite opinions to the contrary, windows CAN be secure. You just have to crank up the security settings as much as possible. By default its an open book.
4) Use windows as little as possible. Keep in mind as little as possible might mean every single machine. But if you can manage to phase it out at all it will save you a million headaches.
Noble as your intentions are in spreading the word, Firefox will NOT solve the spyware/adware problems. Much of these malware re installed by the user implicitly by installing other shareware/freeware products. It just so happens that the IE monoculture is making these malware authors to target IE for some of their scripts (to automatically install). Once Firefox reaches a critical mass, it will too have these problems. Remember, malware along with spam is a socual problem, not a technological one, so the solution is also social. for
Actually, it does have to be said from time to time. If the problem is a big enough priority, maybe the solution needs to be a bit creative?
I understand it's not a realistic option for everybody to switch OSes. Just something people might want to keep at the back of their mind, in case this month the problem is AdWare/Spyware, last month the problem was Viruses and Worms, the month before the problem was about software costs, etc.
--------
Bleah! Heh heh heh... BLEAH BLEAH!!! Ha ha ha ha...
...because some IS people just need to exercise every little bit of power they can.
Others realize that computers are tools and that disabling web access makes them worse tools. They know that their job is not to find ways to make their own jobs easier, it is to make other people's jobs easier.
Kudos to the story submitter for being one of the type that wants to do his job right.
Dancin Santa, fuck you and all others like you.
Users are not going to be smart enough to run Firefox and scan for spyware regularly. This stuff should be blocked at the proxy level. Doing it this way will allow for the spyware sites not to be able to communicate and therefor make it harder to install a lot of the spyware out there. If any spyware does get installed this will make it so it can't phone home and give away all your browsing habits. This can also save a considerable amount of bandwidth if done on a large scale.
The author mentions having Ad-Aware installed, but I assume the s/he is referring to the 'standard' (free) version?
If you go for the payed version it comes with an app called Ad-Watch which actively monitors your machine for spyware installs. See: http://www.lavasoft.de/software/adwatch/
And one Perl script to refuse them all.
It's a brilliant solution.
Only half the solution - inevitably, someone will run across a new breed of spyware that the proxy doesn't yet catch. At that point, you need spyware protection on people's computers as well, so that it can be exterminated once the adware database is updated.
Yes, you could also filter outgoing packages, neatly making the spyware/adware useless, but I've seen spyware that killed a computer's internet connection if it couldn't communicate with its home system (on a user's computer in college, which was a problem since they had to authorize their computer - on a webpage - before they could connect to the outside world.)
Breaking Into the Industry - A development log about starting a game studio.
It's not free though
Top bras simply did not want to pay to replace those computers.
As far as firewalls go, things still slip through, and once they do, what then?
And firefox only stops most automatic installs, it still won't keep Joe Idiot from downloading Bonzia Buddy...
Xaotik Designs
Never start vast projects with half-vast ideas.
You mean you found more cookies in Firefox because you use it more often?
A few caveats -
In an office environment:
- users will likely save documents where they shouldn't, and they will be erased on reboot.
- windows updates get to be a pain, especially with automated services.
A lan center in this respect is a lot less demanding than an office, where people DO have personalized machines.
So you installed ad aware and spybot on most of 2000 systems. Did you pay the authors of those software any money? Maybe if you paid them some money they could help you roll out massive deployments or modify their software to suit you.
My guess is that like most companies you installed them without paying because you didn't have to fill out forms or break your budget. Now you are looking to pay somebody else for software after using their products for all this time.
Just doesn't seem fair.
evil is as evil does
Does it magically prevent people from downloading "The Cute Puppy Screensaver" complete with free URL tracking and home page replacing features?
Now, no doubt, someone out there is saying "Yeah, just educate the users, and smack them hard when they do it." Good luck on your first round of job interviews once you get out of college, kiddo. Aside from those clueless users needing smacking quite often being your boss, or at least more likely to be on a first name friendly basis with oh, say the CIO or VP in charge of finance, when the spyware becomes an issue, it will be YOUR head on the chopping block if there isn't a "solution" from the IT department. After all, in most people's minds, the computers are YOUR responsibility, not Martha, the chatty legal assistant who likes to coupon collect and shop using "Super PiggySaver" during her lunch break.
So, by all means, educate users in proper computer use, post acceptable use policies, push for a more secure browser deployment, lock down the computers security policy to prevent as much as possible a user from installing random crap, but also prepare to install what tools you can to correct and deal with problems after they occur.
And, BTW, in the right (wrong) hands, even Firefox can be used to so load down a computer with crapware and spyware that it doesn't have a spare cycle to do any real work.
Now, if you don't mind, I just got an urgent support ticket from Martha to attend to.
If it is, the solution is simple:
- Obnoxious, nazi-like filtering at the proxy level.
If people want to surf or play games, suggest they seek another job.
Conformity is the jailer of freedom and enemy of growth. -JFK
No it is not. There is no Microsoft Word for Linux, Open Office comes close and I love it to death but its just not ready yet.
There is no god damned Access for Linux either. Heres a newsflash a lot of companies have database frontends that rely on Access, it may not be the best solution but it is the current system and to change it would cost thousands of dollars.
Like it or Loathe it Visual Basic is used throughout many companies. Please correct me if I am wrong but do any Linux office products work with Visual Basic?
These are just a few of the many examples why you couldn't just switch to Linux like that. Those are just the software factors too, forget user training, the cost of changing hardware that isn't supported to Linux etc.
What about thousands of pissed off users because they can't figure out why the hell the start button looks different or why text on the screen doesn't behave as expected.
I'm not trolling, I like Linux I think it is great for the home and for a hobby but its just not ready for the mainstream. Perhaps in a few years, but not today.
Shame on your company for buying into vendor lock-in. A competitor that didn't will eat your lunch while you're still running from desktop to desktop fixing IE infections.
You need central computing. One (or few) big servers that kept clean and well managed. Then make the remote clients dumb, locked down, and netbooted if possible. So basically what you want is xterminals. That run a local citirix client to access winblows apps and your done. This doesnt fix the sales departement laptops, but then again nothing will, its best to put those on a rotating plan where sales guys drop off the laptop ever few weeks for prevenetive maintaince (wipe the machines, and install the latest updates). Also make sure you rotate the laptops, this prevents people sticking their own crap on them. USB keys can work well for storing local stuff, if vpn protected netshares are not available. In the end you will spend man years protecting invididual machines, while protecting one machine is much more feasable. In the 80s we ran away from network computing becouse networks were very unstable, slow. Now that ethernet is more reliable, and 100Mb or faster is the norm, network computing makes much more sense.
The problem is that Microsoft still hasn't gotten around to making the system usable without running it as Adminstrator. Even if it does get to the point where there is spyware, it can't do nearly as much if it can't read/write anywhere to the drive that it wants.
If you want to play hardball, let them approve silly stuff. Make sure there is a paper trail of who approved what, and make sure they take the heat for whatever problems are caused.
You need the support of your own management, and a evil+political person to prepare the very thorough document describing all the problems caused by $stupid_app. Don't be afraid to estimate costs incurred by the incident.
If management finds their own nuts in the wringer because of a dumb decision, they might not sign off so quickly next time.
(If you don't have the support of your own management, of course you're fucked anyway.)
The companies with hard-ass policies didn't get that way overnight, you need to demonstrate the problem in a way that even senior management can understand.
You also still have to exit and restart the browser every few days as it tends to get sluggish after a while.
Setting permissions the way you do will help some but IE has enough holes to drive a truck through. It makes absolutely no difference if they are locked down or not. The fact that IE can be used to execute code makes you and your network vulnerable.
Being the good little MCSE that you are you probably jepordize your network by using IE on your own machine. Now imagine you hitting that nice little web page that joe hacker left on the internet that installs code on your machine and executes it, bingo that's right he has your entire network by the bag.
Got Code?
Most of the bright windows admins on here are going to tell you to use permissions to lock down the workstations and take machine admin rights from the users. Now you have to sit back and ask yourself is that really going to help? Yes it is probably going to help but they are really luring themselves into a false sense of security. Now ask yourself how many of the windows admins that you know use IE? That right most if not all of them use IE. So now ask yourself what does that got to do with anything? Well if IE can execute code easily at user level privs then what happens when that stupid windows admin browses to a page containing malicious code? That's right the worm, virus, trojan has full admin privs.
What do you do to avoid catching the flu? That's right you get a flu shot. So do yourself a favor and get a flu shot, install mozilla on the clients everyone will thank you for it anyhow.
Got Code?
I wonder how much productivity you lock-'em-down admins are costing the economy as a whole. You wanna know something? LAN administration isn't the most important part of a company, you aren't making the company any money. Your job is to help us users be more productive in doing our job, it isn't to cause you the least hassle.
How does it help the company when everytime I need to install some software to do my job I have to call you up and waste a couple of days for it to get aproved by the all-mighty-admin? How does it help the company when I can't immediately respond to a customer!?
OK, so there are stupid users, but I don't care about them, they don't affect me, I'm just trying doing my job. Leave me alone god damnit!
What was the last law that benefited people but not corporations?
Microsoft has greased the wheels with its exploit ridden, high maintenance software, creating security problems of epic proportion that are helping justify the return to the "glass house" in the eyes of management, who worries about things like HIPAA, Sarbanes Oxley, EU privacy directives, Gramm Leach Bliley, and all that--and creating a class of well-paid overseers to manage it.
The users are mere pawns in the game.
If businesses used your logic, there would be no PCs. We would still all be running green screens off of mainframes. It is those terrible users that found they could do thier job 5 times faster by going around IT and running apps on a 'toy' (PC) that has gotten us as far as we are. At least 2/3 of the Administrators that I have run into are not competent, and are simply not well versed enough in business or technology to determine what software is necessary and what is not. The comment about Kinko's is a perfect example. Remember the 'Shatter' attack? If you had access to the machine as any user, you could get admin access. The Kinko's Admins are probably thinking that they don't want the huge PR problem that happens the next time a similar hole is found, and some script kiddie grabs copies of confidential documents for weeks or months before the attack is made public and a fix is released. SNL's 'Nick Burns' is not far from reality.
Regarding the choice of OS... I know this is gonna be a bandwagon comment, since this is slashdot, but I say this as a guy who makes his living fixing windows boxen, and is currently applying for an even better paying job fixing windows boxen... I'm typing this from my iBook.
Whether you choose Mac OS, Linux, BSD, Irix, Solaris, VMS, or the Amiga obviously depends on what sort of apps your users need, but most everything can be done without Windows.
Some people will tell you that Total Cost of Ownership is total bunk, and that Windows isn't more expensive to run. My paycheck *is* the Windows TCO.
Different companies have different political environments and different requirements for user permissions. Not everyone can be as locked down as you are because of various business requirements. Business requirements always trump security requirements, political requirements (like CEO "needs" admin rights) often trump security requirements.
Revolutions are never about freedom or justice. They're about who's going to be top dog. -- Kilgore Trout
No it is not. There is no Microsoft Word for Linux, Open Office comes close and I love it to death but its just not ready yet.
But there is a Microsoft Word for Mac OS X. Of course, you're really just side-stepping the real issue. Nobody really has a "We need to run Word" problem (except maybe when converting that legacy format to an open format); they have a "We need to create documents" problem. Just about every place I've been that had Word widely installed, 90% of the people used it as a glorified text editor.
There is no god damned Access for Linux either. Heres a newsflash a lot of companies have database frontends that rely on Access, it may not be the best solution but it is the current system and to change it would cost thousands of dollars.
The time to complain would have been when the picked Access as their solution, not when they finally figured out that they have vendor lock-in. There are tons of other database solution they could freely choose from. But, again, you're side-stepping. Malware, especially as described for this article, is mainly a user problem. If you have a server running Access, it's unlikely such garbage will be installed on it. This in no way forces you to keep Windows for desktop systems.
Like it or Loathe it Visual Basic is used throughout many companies. Please correct me if I am wrong but do any Linux office products work with Visual Basic?
Again, you're pushing a product instead of solving a problem. Please describe how VB is used for custom development that cannot be matched by other tools. Bonus points if you've figured out you can't name lock-in with MS products any further.
These are just a few of the many examples why you couldn't just switch to Linux like that. Those are just the software factors too, forget user training, the cost of changing hardware that isn't supported to Linux etc.
Bogus excuses. I've been in environments that had users sitting in front of old NeXT boxes to run in-house apps. Why? Because it got the job done quite well, and the users were more likely to be working than dinking around on the web or with some game they downloaded (or suffering with spyware/adware). MS is the hammer some companies use as their only tool, and it's stupid.
What about thousands of pissed off users because they can't figure out why the hell the start button looks different or why text on the screen doesn't behave as expected.
Fire them. If you have to go to the Start button as a major part of getting your work done, your system for doing business is screwed up beyond whatever kind of OS you run. And I'm not sure I even understand your text FUD. How about you describe specific use cases instead of trying to sound ominous while telling your tale of woe?
I'm not trolling, I like Linux I think it is great for the home and for a hobby but its just not ready for the mainstream. Perhaps in a few years, but not today.
Linux on the desktop is always seemingly a few years away. For a general desktop, yes, that is true; it's why many geeks have switched to Mac OS X. But for specific desktops, there is no good reason you can't run something other than Windows. I mean, seriously, if you have 200 people who are screwing around on non-work enough to cause you malware headaches, they're clearly people that need to be "refocussed", and Linux probably provides all the good they need to actually do their job without all the bad that comes with crufty ol' Windows.
You know, I still don't understand why large-scale deployments like this guy need ANY spyware checks.
Because not every company is employing a bunch of idiots. Some users actually NEED to do things that are out of the ordinary.
If anyone has a complaint, tough.
IT's job is to secure the computers, but not just for the sake of security. It's to secure them so that people can do work. If you only care about one part of your job, that's a really good way to lose the rest of it.
I recently read an article where Kinko's reimages computers after guests pay to use them. This can take 5-10 minutes. What the hell? Just set a limited user and recreate that one folder. What are their administrators thinking?
How about this? It's easier to write a script to automaticalls reimage the machines than it is to take support calls from thousands of offices for tens of thousands customers who cant get things done all because you wanted to be an asshole and ride a power trip to show people that you control the machines.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
The www is something that can be surfed at home on personal time. Work is for work.
...).
Many other people have pointed out the value of being able to surf sites for work-related information (booking hotels, looking at competition, finding reference materials, finding suppliers/products, finding potential customers, posting job listings,
There are other ways to prevent misuse as well, rather than blocking port 80 - block specific sites (ie, hotmail) and/or use content filtering to stop people from looking at pr0n while at work. Keep in mind that these can be detrimental - at a health care related job, for example, there will be legitimate reasons to look up legitimate sites that will be blocked by content filtering.
One thing that has been shown (I know I've read articles about this before, unfortunately I can't find referencse) is denying people "personal time" at works leads to an increase in sick days and other time off. Basically, if you don't let someone spend half an hour doing something personal while "at work", then they end up just taking an entire day off to get what they need done. This is my take on the matter, and I don't block any sites on our connection. (and no, I don't consider pr0n to be a legitmate "personal" use of time, but we're also a small company and no one really has much of a private office to use..)
Speak before you think
That is the bulshitiest excuse in the history of mankind.
.
You explain to the suit that you can't install the software because that would make your network a virus/spyware testbed.
If the suit inisist have him put it in writting exhonerating you from any responsibility and financial damage the company may suffer
It always amazes me the deference that some people have for somebody wearing a suit and with an important sounding job description.
Your job is to make that network safe, in spite of the owners of the company themselves if necessary.
IANAL but write like a drunk one.
I work in company where it has taken a while to get the CEO and others to understand the benefits of not having extended rights.
If you want to make them understand let them manage their own PC. They will get infested and crash a lot (usually). When they ask for help install a fresh version and run a virus check on their files. Do not waste time on restoring there program settings.
Instead tell them it's the best way to deal with the problem at hand (it is!).
After losing time on this the CEO will listen to arguments like: "We/you are wasting time and time is money."
He will ask you what can be done. Tell him he will lose his admin rights and you will manage his PC (add more arguments). When he agrees make sure his PC runs smooth for a long time and when there is a problem you fix it quickly. After a while he will appriciate that he get's his job done and the admin waste less time on reinstalling his PC.
When the CEO (replace with some head guy) understands why normal users shouldn't have extended rights you can tell him that you would like his backing to take away extended rights from the normal users.
This is a very short explanation on what to do. The point is to explain to the management why it's a benefit to give up their rights - time/money!
It is not allways easy to convince the CEO but it's worth the time. You will need the managements blessing to deploy tighter security. Most people don't get it the first time you explain why it's necessary and it will take forever to explain it to a 1000 users. That's why you need the CEO to tell them.
I was with you right up until you said penalties. How many work environments will let the IT department waste time and valuable (well, sometimes) resources with petty penalties? I'm all for limiting what a user can do, after that its just them and god (and their boss of course). :)
Quack, quack.
Wanna bet? Remember Blaster, Slammer / SQL Worm? How much did we lose? S.Korea was knocked off the 'Net.
Even a feather in the hands of a Dumb user is still dangerous ! He may tickle himself to death.
LAN Admins lock down systems BECAUSE they need to protect you from yourself. or better yet they need to protect the company investment in you from going waste because you installed some Anna.K screensaver and end up saying "Doh!"
As long as users like you are dumb and stupid, you will continue to be treated like kids: Childproof everything.
"Doing what i can, with what i have." ~ Burt Gummer
That's because we know what we're doing. And, if we cause problems, we're the ones that have to fix it.
Who do you think is responsible for keeping track of the licenses for that software you want to install? Given admin access, how many users do you think will pirate software? (Answer: a lot). How many users will knowingly or unknowingly install spyware? (Answer: a majority) How many will get a virus? (Answer: A few. But those few will impact the entire company.) And, when they do all of this, and it takes 1-2 days to clean up their computer, how many users will understand that it's their fault and not blame the IT department? (Answer: None.)
I suppose you feel the same way about your Purchasing Department (Why should I have to get a PO before ordering something? How does it help the company when I can't immediately order something I need?). Our job is not to help you be more productive in your job. It's to help the company be more productive. You're just a tiny little part of the equation.
If there truly is someone who is (a) knowledgeable of computers, (b) appropiately cautious of installing unknown or unlicensed programs, (c) reasonable enough to not blame IT for all of his computer woes, and (d) wants administrator access (and his manager doesn't care) - then I'll usually give it to them. In most cases, this guy also becomes my go-to guy for the department - which saves me from visiting for little issues.
If you truly can't do your job because of restrictive policies (note that installing WeatherBug and AIM does not constitute doing your job) then you should explain your situation to your admin, your manager, and your admin's manager. If nothing gets done, then noone thinks you need admin access to do your job. Live with it.
I do believe that is the parent of your posts point. He is looking at it from a B2B perspective. Bad IT practice has directly hurt his company, even though it was not his company's bad practice.
Jeremy
The test is if the loss of productivity due to lockdowns is overall LESS than the loss of productivity due to virus/malware/spyware plus corporate danger due to piracy plus extra admin time to support all kinds of whacked-out PC's.
If having them locked down costs the company less, then guess what - you get to put in change requests for that software install.
Not always true. But if you run a concentration-camp style lockdown and project the attitude that "I am mighty Network King, bow before me and I may let you use your machine," you're goddamn right the admins will go down for any security problems. And rightfully so--if you manage my machine and take away admin, then it's your problem, and I as one of those stupid users will happily watch you swing from the gallows.
~~~
The anonymous coward is correct; if you add the user to the admin group, install the Palm Software, and then take user out of the admin group after the first sync, it will continue to work.
...whan you are forced to go thru all kinds of wild, abnormal gyrations to install and use a piece of software. Palm targets their software toward the corporate user, yet they write it in such a manner that a typical corporate user cannot install and use it in a typical corporate (i.e. locked down) desktop machine without the assistance of a rocket scientist.
Isn't there a list of spyware certificates on some reputable web site that we all can download and add to the certificate "ban list" wholesale?
You're tired of IT "Nazis" who impose restrictive limitations upon you and your fellow plebes?? You're tired of being told how to operate your office computer (which, for the record, is COMPANY property)?? You're tired of being treated like an idiot everytime We have to descend from on high to come and fix something that (99 times out of a hundred) was YOUR FUCKING FAULT (the other 1 time, it was the guy in the office next to you, for the record)??
Here's what I'm tired of...
-------
15 hours spent tracking down the last vestige of a virus that got into the network because some dipshit user clicked on that gods damned "punch the monkey" banner. Did I get thanked for preserving the integrity of the company's data?? No, I get told to watch my ass or I'll be out on the street for daring to bill the company for those many hours at once...
-------
Removing the spyware which has crippled your machine causing it to "run too slowly" (the original reason you called me)... oh, and by the way, standing over my shoulder, pissing and moaning about lost productivity... that doesn't inspire me to work faster... especially not when the very next thing I see you doing (while en-route to another "emergency" call) is playing SOLITARE!! Real productive...
-------
Being told you have a virus and then coming into your office to find that you haven't bothered even to open the e-mail I sent out about a new CRITICAL SECURITY UPDATE that you really should install... by the way... it was in an e-mail because the last time, I spent a day visiting every - single - machine in the office and applying it myself, only to get flak for costing everyone 10 minutes of their precious time
-------
Having My lunch/smoke break/FUCKING WEEKEND interrupted because you or one of your shit-headded co-workers desperately need something installed/removed/hit with a stick... I don't need free time, what the hell would I do with it?? I live but to serve you my leige... you jerk-off...
-------
The rules and restrictions we place upon you are not out of spite. We are not fascist dictators making rules willy-nilly in the hopes of catching you with your pants down. These rules are in place to protect the sanctity and security of the network that we get paid to protect. The attitude that you see is the result of years of dealing with people who do everything they can to get around our rules. People who continue to open spam e-mail, who open attatchments on e-mails they have not verified, who wait until a computer problem gets so bad that the unit is no longer functional, who visit unsecured websites, who ignore critical updates (they're called critical for a fucking reason, plebe)... you're the problem, not us... Your right, I am paid to interface man with machine, to make the integration of technology and business as seamless as possible, and to keep the company data stored on the network safe from the outside world... I am not paid to babysit you, I am not paid to hold your hand, and above all else I am not paid to take your abuse... so here's the deal... when you follow the procedures we lay down (if you want to know why the rule is there, ask) so that the problems I have to fix aren't ones that have been caused by you, then you'll stop getting the brunt of my attitude... but so long as you act like a petulent child, demanding that everything run perfectly right now... now Now NOW... and continue blaming us for problems that are all totally preventable... I will treat you like a child...
so either start treating us like real people, or run your own damn network...
The chains are broken
Loki is free
Ragnarok is at hand...