Slashdot Mirror


Spyware/Adware Prevention In Large Deployments?

foQ writes "I work in the IS department for a ~2000 networked computer environment across 10 locations. As with most people, we have experienced serious problems with spyware/adware. We have SpyBot and Ad-Aware installed on most computers, but this doesn't prevent the computers from getting these programs and only sometimes properly removes all of them. Is there a tool that we could push out to all the PCs to basically do what anti-virus programs do and block these programs from running and clean them from the computer?"

12 of 782 comments (clear)

  1. Actually by apoplectic · · Score: 3, Interesting

    but this doesn't prevent the computers from getting these programs

    I believe Spybot does protect you ("immunize") from around 2000 different pieces of software, if you let it.

  2. Software Restriction Policy (Windows XP) by yiangouk · · Score: 5, Interesting

    You can apply what is known as a Software Restriction Policy and enforce it strictly so that only approved software is installed on system computers

  3. FFox by MadEmperor · · Score: 3, Interesting

    I love how all the FFox/Mozilla comments get a score of 1.

    The truth of the matter is Mozilla does indeed prevent quite a bit of malware from entering your computer.

    Oh well, I'm sure this will be modded 1 - Redundant

  4. Re:Easy solution by civilizedINTENSITY · · Score: 4, Interesting

    I am so sick of hearing that "once [fill in the blank] reaches critical mass, it will have the same problems." That sidesteps the issue of design, as though all designs are created equal. This viewpoint only works if you view your computer as a magic (black) box with no discernable internal structure or parts.

    Methinks it says much more about the people who utter the phrase than it does about the systems they suggest are inherently equal.

  5. Re:DeepFreeze = best. prog. EVER. by hazem · · Score: 4, Interesting

    I once set up a similar system using a small linux installation.

    1) set up windows on half the drive
    2) install a small version of linux on the other partition
    3) make an image of the windows drive that is stored on the linux side
    3) I set up some rudimentary scripting that worked with lilo boot options.

    Normal operation is to boot to Linux, then extract the windows image over the windows partition. It then reboots. You can feed lilo an option to override its default boot option and go directly into windows. On next reboot, you go back into linux.

    I even set flags where you can turn off the auto-rebuilding, set it for daily rebuilding only (first boot of the day), or make it strictly manual "your computer is goofy? Okay, reboot, and select rebuild. Get some coffee and come back".

    As another poster said, you do have to turn off all the auto-updates because they'll continually trigger. But it is so nice to not have to tend to the machines until you want to do those updates.

    I don't have the setup on a website, but if you're interested, send an e-mail to username dfrakes at the new google email service. I'd be glad to send my scripts along along.

    We had a lab of win98 boxes - all PII-300's or less that would rebuild their 1.5GB windows image in about 11 minutes. I used tar/gzip for the image, but it can work just as well with dd/gzip and may even go faster. In that case, the smaller your windows drive, the better your performance will be.

    It was great in an academic computer lab where the users shouldn't be messing with things!

  6. EnCase Enterprise by funk49 · · Score: 3, Interesting

    Depending on your budget, try Encase Enterprise by Guidance Software. EnCase is the forensic program/application used by the US Govt and also by most of local and foreign law enforcement investigators as well.

    The Enterprise version takes forsensics a step further, utlizing a client listener app which runs on the desktop and after establishing a baseline of permitted apps, can be used to detect and counter malicious apps running on the LAN and WAN as well as imaging drives realtime for investigative purposes.

    Investigations have been performed from halfway around the world with the click of a button. Another selling point to the PHB's is that it can be used for HR investigations as well, making it an easy ROI for most companies.

    http://www.encase.com/

  7. Re:Webroot Spy Sweeper Enterprise and Lavasoft too by WoodstockJeff · · Score: 3, Interesting
    At my company, the first thing we did when we migrated to XP (from 98) was set every user's permission to limited.

    Works great, until you run into something like Palm software, which won't cooperate with permissions. I've tried several methods to make it possible to sync a Palm Pilot with Outlook, and none work, if the user doesn't have administrator privileges on the computer. Apparently, some of the Palm conduits try to write to directories that aren't available to mere users, and I haven't been able to track all of them down.

    And it's the executives that have the Palms, so not letting them work isn't a viable option...

  8. Re:Webroot Spy Sweeper Enterprise and Lavasoft too by plierhead · · Score: 5, Interesting
    I agree. When I worked at CellularOne every user was issued a W2K workstation that was locked down squeaky tight. You had to make a very good case to get access to the web and, even then, there was a hellish long list of sites that were blocked. I didn't see any spyware/malware ever. Users were not allowed to install software nor even printers. You go the application suite that your job required and you were mapped to a printer or two. It worked well and nobody was being deprived with the possible exception of folks that like to use their computer to screw off all day.

    I hear completely where you're coming from, but you're only talking about the side that you see.

    Locking people down, while it may well be a desirable solution because of the shite that is MS, very often leads directly to lost productivity that affects many more than just "folks that like to use their computer to screw off all day". In many cases, the problem is made worse by unresponsive IT departments who have an inbuilt superiority complex and think all users are jerks. Well, many users are jerks, but guess what - if they can't do their jobs, they cost their employer money, normally in a way that IS is utterly unaware of (and probably couldn't give a shit anyway).

    Recent examples at our clients (we provide our system as an ASP, not least to avoid the claws of those freaking MS bastards, but as you can see we are still the victims):

    1. Customer A needs to scan and OCR hard copy documents to upload them into our system. Of course they are not allowed to go down and buy a $200 HP scanner with this ability - instead they must wait for IS. IS has set up a $20,000 multi-fucntion scanner, but of course it does not do OCR. Of course there is an OCR program, but of course it is not certified for the current system image. 6 months on, over $30,000 in additional costs incurred - because IS can't provide OCR capability and won't allow a "renegade" install of a $200 HP scanner.
    2. Customer B wants to use our system - its an ASP after all, no software to install - but their procedures for gaining web access are so cumbersome that it is simply impractical to give wide access throughout the business. More lost $$$, to us and them.
    3. Customer C has their image locked down to Office 97 because of various (no doubt valid) MS problems. Users are unable to handle incoming documents written in later versions of Word. IS has no solution apart from waiting until 2006 for a company-wide upgrade. (Yet, strangely enough, the IT dude has Office 2003 on his OWN desktop)
    --

    [x] auto-moderate all posts by this user as insightful

  9. Re:Webroot Spy Sweeper Enterprise and Lavasoft too by Kleedrac2 · · Score: 3, Interesting

    1. Customer A needs to scan and OCR hard copy documents to upload them into our system. Of course they are not allowed to go down and buy a $200 HP scanner with this ability - instead they must wait for IS. IS has set up a $20,000 multi-fucntion scanner, but of course it does not do OCR. Of course there is an OCR program, but of course it is not certified for the current system image. 6 months on, over $30,000 in additional costs incurred - because IS can't provide OCR capability and won't allow a "renegade" install of a $200 HP scanner.

    This problem is just lazy IT. If they can't take 5 minutes to add an HP scanner then you've got the wrong guys in IT.

    2. Customer B wants to use our system - its an ASP after all, no software to install - but their procedures for gaining web access are so cumbersome that it is simply impractical to give wide access throughout the business. More lost $$$, to us and them.

    Again bad IT practise ... think of an IT department run by intelligent IT guys not lazy management types like you're describing.

    3. Customer C has their image locked down to Office 97 because of various (no doubt valid) MS problems. Users are unable to handle incoming documents written in later versions of Word. IS has no solution apart from waiting until 2006 for a company-wide upgrade. (Yet, strangely enough, the IT dude has Office 2003 on his OWN desktop)

    And again, if there's a valid reason to upgrade office and it's showing up multiple times perhaps IT should either distribute a newer image w/ Office 2003 or perhaps OO.o, alternatively they could just have a copy of Acrobat on the IT network so any incoming Word documents can be sent to them for conversion to something that can be read by the current image.

    I've administered networks as well as used rather locked-down networks. The problem with locked down networks in my experience happens only when the IT guys are too lazy or stupid to make changes. Any idiot can lock down windows. It takes someone with more intelligence to actually allow the useful while blocking the harmful. As long as the IT department is large/trained well enough for the number of seats it really shouldn't be a problem.

    Kleedrac

    --
    Sure we wang, can.
  10. Re:Webroot Spy Sweeper Enterprise and Lavasoft too by estes_grover · · Score: 4, Interesting

    This problem is just lazy IT. If they can't take 5 minutes to add an HP scanner then you've got the wrong guys in IT...Again bad IT practise ... think of an IT department run by intelligent IT guys not lazy management types like you're describing.

    These would be true statments should the company in question be small - several hundred employees. It's a whole different deal in a large company. In a large company (thousands or 10's of thousands of emplyees) IT policy is often designed such that the (inadvertant) end result is: slow. The overriding concerns in large-company shops are things like security, audit, documentation, repeatability. In an IT shop supporting a large user base, the CIO is often more of s business type than an IT type. Hence lots of compromises, negotiation, changes in direction. Couple that with in-house development efforts and one often gets re-work and that translates into slow.

    It's darn near impossible to be large and nimble.

  11. Re:Webroot Spy Sweeper Enterprise and Lavasoft too by shyster · · Score: 3, Interesting
    Customer A needs to scan and OCR hard copy documents to upload them into our system. Of course they are not allowed to go down and buy a $200 HP scanner with this ability - instead they must wait for IS. IS has set up a $20,000 multi-fucntion scanner, but of course it does not do OCR. Of course there is an OCR program, but of course it is not certified for the current system image. 6 months on, over $30,000 in additional costs incurred - because IS can't provide OCR capability and won't allow a "renegade" install of a $200 HP scanner.

    Why wasn't IT involved in the requirements discussion of your ASP solution? Who did you think was going to be implementing the client side of the solution? A lot of issues could be solved easier if IT was asked for advice before a problem arises. Instead, departments make (sometimes) dumb IT-related decisions, and expect IT to implement them.

    Customer B wants to use our system - its an ASP after all, no software to install - but their procedures for gaining web access are so cumbersome that it is simply impractical to give wide access throughout the business. More lost $$$, to us and them.

    Sounds like a department or group of people within Customer B wanted to use your system. Once again, it doesn't sound like IT was involved at all. Nor does it sound like the company as a whole wanted it - or they would've worked with IT to get access to it.

    Customer C has their image locked down to Office 97 because of various (no doubt valid) MS problems. Users are unable to handle incoming documents written in later versions of Word. IS has no solution apart from waiting until 2006 for a company-wide upgrade. (Yet, strangely enough, the IT dude has Office 2003 on his OWN desktop)

    AFAIK, Word 97-2003 have the same file format. Excepting some possible formatting issues, reading the documents shouldn't be a problem. However, realize that an Office upgrade is a huge expense in terms of both time and money. Expecting IT to jump to fulfill your requirements on their existing budget is a bit unfair.

    Just because you, understandably, see your solution as the greatest thing since sliced bread doesn't mean IT or the company as a whole does. It would seem that IT, and the executive management, were either not made aware of the business need of your solution, or felt it was not worth the impact on IT's budget and responsibilities. Perhaps involving IT in your next client discussion could point out these issues before the ink is dry.

  12. Re:Webroot Spy Sweeper Enterprise and Lavasoft too by GreyPoopon · · Score: 3, Interesting
    I don't think you are completely aware of what the budgeting process and political playing field are like for IT resources at most companies. It's generally not a question of laziness, but rather that management wants to reduce IT headcount while at the same time getting even more work out of the department. On the other hand, if you are directing your complaints against upper management (not IT), I'm all with you.

    This problem is just lazy IT. If they can't take 5 minutes to add an HP scanner then you've got the wrong guys in IT.

    Interesting. You attribute following policy to laziness. Since there aren't enough resources to go around installing HP scanners for everyone and supporting the associated software, the department has made the decision to support a single centralized scanning infrastructure. Unfortunately, they made this decision at a time when OCR wasn't an issue. Generally, the $200 HP scanner isn't going to be an isolated case. Once one is deployed, there need to be others. Now the IT department is forced to support several additional devices and new software. Oh, and while they are providing this additional support, the CFO is busy taking three more people out of their headcount. In a situation like this, the proper solution is for the IT department to follow policy and request that the person who has the need escalate through their management. If it's important enough, it will reach the CEO, who will tell IT they need to provide this service. At that point, they can force the CFO and the CEO to sit at the same table and decide whether its more important to provide this piece of hardware or to reduce the IT budget. Now, if IT hadn't locked down the system and employed this practice in the first place, guess what would have happened. The requesting department would go around IT to buy and install the scanner, and IT would have still ended up supporting the thing.

    Again bad IT practise ... think of an IT department run by intelligent IT guys not lazy management types like you're describing.

    Again, you've attributed draconic procedures for gaining web access to laziness. What you are missing is that such decisions rarely come directly from IT, and are instead a direct response to a requirement from the CEO. Just like the previous situation, the issue would have to be escalated. The CEO will either approve, deny, or realize that he needs to change his requirements for IT.

    And again, if there's a valid reason to upgrade office and it's showing up multiple times perhaps IT should either distribute a newer image w/ Office 2003 or perhaps OO.o, alternatively they could just have a copy of Acrobat on the IT network so any incoming Word documents can be sent to them for conversion to something that can be read by the current image.

    Again, somebody has to support this, and most IT budgets are yielding their dollars up to the Marketing budget. Although, I like the idea of a copy of Acrobat because it would then possibly require only one resource within the IT department.

    The problem with locked down networks in my experience happens only when the IT guys are too lazy or stupid to make changes.

    No, most locked down networks happen when the IT department is afraid to make changes. Usually this is because the CEO or CFO puts very heavy restrictions on them. Remember that 80s and 90s buzzword, empowerment? Well, we all laughed back them because we knew it wasn't true. It's obviously not true today either.

    --

    GreyPoopon
    --
    Why is it I can write insightful comments but can't come up with a clever signature?