Slashdot Mirror
Spyware/Adware Prevention In Large Deployments?
foQ writes "I work in the IS department for a ~2000 networked computer environment across 10 locations. As with most people, we have experienced serious problems with spyware/adware. We have SpyBot and Ad-Aware installed on most computers, but this doesn't prevent the computers from getting these programs and only sometimes properly removes all of them. Is there a tool that we could push out to all the PCs to basically do what anti-virus programs do and block these programs from running and clean them from the computer?"
I took a look at enterprise antispyware software for a client and particularly liked Webroot's Spy Sweeper Enterprise product. It provides centralized management and automatic deployment though you can do it manually as well. Definition upgrades as well as version upgrades of the sofware is also automated. Take a look at this page from their website. Lavasoft also has an enterprise product that is pretty good though I think Webroot has a slight edge.
http://www.busyweather.com/
besides freezing them?
Use FireFox instead of Internet Explorer. www.mozilla.org
What about blocking or filtering the spywares and adwares at your proxy? If it don't get into the network, it will not affect your computers.
I usually dont reccomend upgrading antivirus programs to my clients, but the latest round of 2005 versions basically have adware in with their virus defs. Not sure about the corporate level stuff, but almost all the major consumer AVs do.
Seriously. I am not trolling. It works for me.
Ever since I have installed SP2, Ad-Aware from Lavasoft has not found one spyware program -- even after installing the worst offending sites - porn sites.
Disable write permissions for all users. Roaming profiles, no browser cache whatsoever, no ability to write any file to the drive.
I never said it was a -good- solution...
We use Symantec Antivirus and Desktop Firewall - seem to do the trick...
The friendliest digital photography forums on the net!
I recommend just sticking a firewall up at the root of your network and blocking all traffic on port 80. It cuts down on web surfing and it puts to death all those stupid ad/spybots that already infest your network.
If someone needs to access a site, have a system where they can request a site to be opened for access. Of course they will need to have a valid reason and you (as network admin) have final say as to letting them have that access or not.
The www is something that can be surfed at home on personal time. Work is for work.
Comment removed based on user account deletion
Two words: Death penalty.
Get spyware, get shot in the head. After two or three pluggings in front of coworkers, NO ONE will get on the net period, or even check e-mail.
Harsh? Yes. Effective? HELL YES!
Stop dedicating your life to subsidising Microsoft's hegemony. Move people to a good, maintained Linux Distro. Yes, it is possible.
but this doesn't prevent the computers from getting these programs
I believe Spybot does protect you ("immunize") from around 2000 different pieces of software, if you let it.
See: here for Pest Patrol, and here for Spy Sweeper. There was an article this month in Information Security Magazine.
Find out about the Lexus Rx400h Hybrid!
* Don't let the users work with an admin account
* Use a proxy
* Use Firefox instead of IE
We have all of the software you need! Just tell us what you want the software to do, give us the name of open source software that already does the task, and in three weeks we will have a brand new software package *just* for you, for the low low price of $50! Unfortunately, our website is down because of high traffic and hackers. Still, you can view videos of the as-of-yet-non-existant software here.
Hurricane Ivan: A 17th century prison collapsed. All of the inmates escaped.
You may find this interesting.
Every time a user finds spyware on their PC, replace the monitor with a smaller one.
When a user has to make a decision between h4rdc0r3 p0rn and a 6" monitor, they might be a little more proactive in preventing spyware!
1) Network level security. Most spyware can be blocked with a firewall.
2) Firefox and thunderbird, most spyware needs IE or outlook to sneak in.
3) Default IE security settings maximized. Despite opinions to the contrary, windows CAN be secure. You just have to crank up the security settings as much as possible. By default its an open book.
4) Use windows as little as possible. Keep in mind as little as possible might mean every single machine. But if you can manage to phase it out at all it will save you a million headaches.
I use SpywareBlaster and it seems to be decent. http://www.javacoolsoftware.com/spywareblaster.htm l
Get up off your ass and raise up your glass!
I've noticed that prevention is more effective than removal. If you can spare it, wipe the systems, implement some decent settings (pre-install all the Active X you use and then block the rest). Or install firefox.
For some reason safe sex seems to pop into my head. Mozilla Firefox: condom for the online world.
I fix computers as an after school job. Both spyboth search and destory are great programs. The best things for prevention is to switch everyone to mozilla and get a version of Norton Internet Security 2005. Mozilla helps alot, keeping spyware out and works better then IE just in general. Norton Internet Security 2004/2005 has spyware detection and removal.
We've had sucess with Pestpatrol Corporate Edition. http://www.pestpatrol.com/Products/PestPatrolCE/
Actually, it does have to be said from time to time. If the problem is a big enough priority, maybe the solution needs to be a bit creative?
I understand it's not a realistic option for everybody to switch OSes. Just something people might want to keep at the back of their mind, in case this month the problem is AdWare/Spyware, last month the problem was Viruses and Worms, the month before the problem was about software costs, etc.
--------
Bleah! Heh heh heh... BLEAH BLEAH!!! Ha ha ha ha...
You can apply what is known as a Software Restriction Policy and enforce it strictly so that only approved software is installed on system computers
Can restricting accounts from administrator to a regular user help at all? I don't know the answer to this question with windows? The windows computers at my school don't allow you to install software, but I don't know if that's feasible in your situation.
I would start by considering rolling out firefox on everyone's computer. I think that would curtail it substantially.
And please, no one suggest switching every machine to linux. No spyware problems are definitely a bonus, but I wouldn't take on the tremendous task of switching everyone over just because of spyware. And yes, I run and love linux, but I can't imagine installing it on 2000+ machines.
Been using it for a few weeks now and seems to stop just about everything coming in. Don't know if i can really vouch for it yet but it seems to stop stuff on the way in which is easier than cleaning up after the fact.
Stay tuned for new sig...
I'm not totally clear on what these machines are used for (custom web apps w/ heavy activeX use? Random surfing?), but assuming you haven't heavily focused on IE with custom software, Mozilla/Firefox plus a proper permissions system that denies access to IE and program installation should prevent 95% of the infections.
Top it off with a local DNS that nulls known ad sites and spyware supplies, and you should be good to go.
Sounds like the same problem we face--4k client PCs in five locations--and we don't have too good of a solution.
We're currently taking a two-pronged approach. First, for the big baddies like Gator or Bonzi, we use Altiris Notification Server to find them and block their execution. This works tolerably well, but it's a reactive process--for me to block a spyware app, I have to know about it, and it has to be something of which I can deny exeuction (so, no browser helper objects).
Second prong is a managed install of Spybot S&D--we're enterprise licensed and maintain our own update server. We stick Spybot S&D in our base loads and force it to run on a schedule, automatically updating itself and running non-interactively. This catches lots, but can sometimes interfere with the users' work.
There is also an ongoing user education effort, consisting of mandatory training and constant reminders about how spyware works and how one gets infected, but that's about as hopeless as bailing the ocean with a kid's toy bucket. I'm long past the point of hoping that the general user population can learn about how not to get infected with spyware; I'm resigned to spending the rest of my days hearing about how someone in Marketing was hitting the gambling sites at lunch and picked up yet another malware app.
Users are not going to be smart enough to run Firefox and scan for spyware regularly. This stuff should be blocked at the proxy level. Doing it this way will allow for the spyware sites not to be able to communicate and therefor make it harder to install a lot of the spyware out there. If any spyware does get installed this will make it so it can't phone home and give away all your browsing habits. This can also save a considerable amount of bandwidth if done on a large scale.
One thing with the name-'n'-shame system, most people wouldn't be too insulted about using IE. They'd just go, "eh", and get on with their pointless lives. Other than that, you're absolutely correct.
Hurricane Ivan: A 17th century prison collapsed. All of the inmates escaped.
Based on the apps you named, you're running a Windows environment. Why not use the tools that ship with those products and apply some group policies to restrict what can be run? And by this, I mean a whitelist. The IS dept of a corp that large should already have the automatic deployment mechanisms in place, which means you already know which apps should be running on any given machine
That, plus some sane ActiveX and script rules in your IE configuration (again, configurable through AD and GP) should tidy up most of your probs.
Linkable goodness to get you started
to mitigating Spyware that I've had sucess with:
1) Websense has a category set for Spyware to stop it at the firewall.
2) Spyware Blaster is an excellent free Spyware prevention program. I've never had a problem with users who run it.
The best would of course be to convert your enterprise to linux with Firefox. But, if everybody did that, the organized crime that is Spyware would target linux systems. Security through obscurity only works as long as you don't have the market share. However, open source tends to converge on security fixes more quickly anyway. So, even if there were major browser vulnerabilities more often, the fixes would be here faster...
----------
perl -e 'print(pack("H*","646176652e7761676e657240676d616
Proven on two medium-sized networks I maintain for clients. No spyware in two years and I don't even bother with up-to-the-minute patches. Just patch for serious problems or when a service pack comes out.
Limited User accounts also provide the best AV on Windows, second only to MS Office SP3 and later which block bad e-mail attachments, bad macros, etc by default.
Finally, stand-alone NAT routers that act as firewalls keep worms out.
Worried that your software won't work as a limited user? Harass the vendor. Go to their competition. Loosen up security on individual files and folders (hence, suggesting XP Pro instead of XP Home). Test, test, and test some more. You'll save hundreds if not thousands on annual AV subscriptions and catch new threats before the AV vendors (and Spybot / Ad-Aware) can.
Use Evolution instead of Outlook? Bewa
It's expensive, but its the only thing that will do the job, that and really strict AD policy...
Religion is a gateway psychosis. -- Dave Foley
1) Switch from IE to Firefox as prevention. This should stop most spyware/adware.
2) Filter known spyware/adware at the firewall/proxy level.
3) Depending on the type of organization, limit user's power's to prevent the spyware from installing itself.
4) If these are all cloned machines that aren't attached to an individual/all user documents are stored on a central server, consider doing regular formats.
I will skip the snide comments saying "Use Linux" (although it is a great solution) imagining that you don't have the authority or resources to migrate 2000 systems.
The best tool is education. Whatever anti-spyware devices you put on there will be obsolete within a week, but knowledgble users will stay aware for a long time.
Of course, trying to educate that many users will be dificult, even assuming that the education sticks, but no solution is perfect. However, about 20 minutes explaining how the internet works and what an executable file is, etc. will have some very measurable results.
Hopefully I didn't put any [] around my words.
Education is your best tool. Invest in the user
as they are the weakest link in this fight. Do
as others have suggested and switch browsers to
stem the flow.
Try using Spyware Blaster. I use it in conjunction with Ad-Aware and Spybot S&D, and it works great as a preventative blocker for IE and Firefox to prevent spyware from being installed as people surf.
I use the free version, so I have to manually update it, but the paid version updates automatically.
I did some spyware experiments of my own one day, to "ferret out" where some of this stuff came from. I did a clean install of XP on a machine, and carefully documented what I did, and the resulting changes in cookies, commit charge, etc. The results were interesting - I visited a lot of adult porn sites - literally just combining verbs and adjectives, and got very little in the way of spyware. I went to a particularly vicious site - default-homepage-network.com, and instantly got hit with a bunch of popups and three items immediately went into add/remove programs. Then I installed the "standard" kazaa - installing spyware programs was part of the initial installation!!! Commit charge went from about 100 megs right after a bootup, to 212 after installing Kazaa. Then, I wiped the machine out and installed XP and then SP2. The first things I tried - porn sites and default-homepage-network, didn't do anything - only Kazaa resulted in spyware, because installing it yourself is part of the package. When I clean out clients' PCs, I do the following: 1. Safe mode, command prompt - delete everything I recognize as a spyware .dll or .exe, and I rename anything I believe may be a system file.
2. Normal mode, uninstall any program with "rebates" "shopping" "bargain" etc...
3. Install and run Adaware, Spybot, Hijack This, CW Shredder, and Spyware Blaster.
4. Install SP2 if it's a recent machine - SP2 tends to crush PCs that have been running for a while.
5. Scold them for downloading music, and remind them that not only will they have to pay me if their internet habits cause reinfection, but the greedy RIAA bastards may even come knocking one day.
I agree that most 2004 and up versions of Symantec and McAfee include anti-spyware protection, as well.
Not too impressed with Webroot Spysweeper - it's a rather ponderous product.
Firefox is a damn good idea, too.
And of course, stay away from "Spyware Stormer"
The author mentions having Ad-Aware installed, but I assume the s/he is referring to the 'standard' (free) version?
If you go for the payed version it comes with an app called Ad-Watch which actively monitors your machine for spyware installs. See: http://www.lavasoft.de/software/adwatch/
It's not free though
If you're computers are in a Windows domain, why not have all domain computers run the spyware program automatically? Pretty sure this could be scheduled utilizing some sort of domain policy. I know spybot has many command line switches, so you could run it everyday without the user noticing. Spybot command line switches
"0101100101? It's just jibberish. *looks in mirror, gasps* 1010011010@!? AHHHHHH!!"
Get one to five standard images. All PC's get re-imaged when you get around to it. Every 3 to 6 months. It also makes a reinstall much quicker I can do 20 systems in less than an hour. 10 min for the image and 5 minutes per system for post install setup.
No Admin rights! assuming they are running either 2000 or XP give them as little rights as you can. They dont need them. If they absoutly need rights give them local rights Only.
Proxy/Firewall. Even if you block the most obnoxous sites you have saved your self from 1/2 of the work. I use a custom hosts file that has about 1000 entries.
Some of the more simple and cheap things are; firefox, Spybot with TeaTimer, Google toolbar on IE. Remember you cant stop users but the trick is to slow them down.
The best thing I have found is to create a cluture that does not tolerate spyware. It take 2 years but is worth it. Training is a godsend. Even if everyother person knows how not to act they will help out the others.
See critical mass argument above; also see argument above about how most mal-ware still requires user intervention to install. Put the 2 together and you'll have the same problem no matter the OS.
Geek used to be a four letter word. Now it's a six-figure one.
I love how all the FFox/Mozilla comments get a score of 1.
The truth of the matter is Mozilla does indeed prevent quite a bit of malware from entering your computer.
Oh well, I'm sure this will be modded 1 - Redundant
DO NOT INSTALL REALPLAYER!!!
No-one said you can win them all...
A man who can't pronouce "nuclear arsenal" shouldn't have one -sig ends here.
....at the firewall level?
Instead of blocking port 80 and trying to greenlight thousands of sites that are legit, can one redlight hundreds of spyware sights so no connection can be made to them?
I mean, I don't see any purpose of seeing ad banners at work. That's bandwidth that's best used elsewhere.
That's great unless you work for a company where the Internet (or, more specifically, the web) is a vital business tool.
There are many reasons why someone would need to access the web at work for legitimate reasons. Even in the most technology-sheltered business there will still be a need for, say, ordering office equipment, booking travel and accomodation, checking on the competition or just referencing relevant laws and procedures that the company may need to adhere to.
I can think of dozens of legitimate reasons why 2,000 employees spread over 10 offices would need to access the web. Expecting them to leave their desks to use a PC elsewhere or requiring them to request site clearances on an ad hoc basis is just plain dumb.
The former is an unnecessary inconvenience for the sake of it, because you still have to secure those dedicated Internet access PCs. And the latter is just asking for your most probably overworked IT department to get hammered dealing with requests that it doesn't have the time to deal with, with the additional bonus of the requesting employees having to wait around for someone to give them a green light before they can do their own jobs, which will only cause unnecessary frustration and antipathy to both the patronising employer (for treating mature adults like children) and the IT department.
Now can you see why web access on the desktop is more preferable than your alternatives?
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
Assuming you have to run Windows, first remember there are multiple steps that you'll likely have to take with no silver bullet. Consider these 10 steps as a spring board:
The first step is to put in place policies (where possible) on domain controllers that prohibit both the installation of BHOs and of other software by anyone other than Administrators. Given that many, many bits of spyware (I'll go out on a limb and say most) work as (so called) "browser helper objects", don't let people install them at all. Other software Administrators can install when needed. It's actually fairly easy to do.
Second, where possible, deploy W2K or XP, and...
Then, third, where possible, yank people's admin privs. In virtually all cases, with a bit of good ol' trial-and-error, you can successfully adjust users' permissions to take away admin from most folks. Let's face it, most people SHOULD NOT have the ability to have admin on their own machines.
Fourth, where possible, dump IE.
Fifth, do some short SMALL GROUP tutorials about the evils of spyware and how it works. (I found this to be surprisingly useful for teaching users about passwords.)
Sixth, where possible, dump IE.
Seventh, consider netbooting the workstations and storing users files on fileservers. That way the OS you give 'em is the OS they get and it's always the same every day. (Tell them to think of it as life imitating art as in "50 First Dates", where they get a fresh start every day....)
Eighth, where possible, dump IE.
Ninth, go with something many of the folks here have/will recommend in terms of enterprise-based anti-spyware/anti-virus/anti-?????? software. I used Norton Corporate Edition in a fairly recent gig, and while that particular version didn't check for sypware, there are a number of solutions others are proposing that will. (The Corporate Edition is critical to your sanity--you can manage the AV software on *all* desktops via a central console.)
Last, and not least: dump IE.
------
Running 'Nix is like owning a Lightsaber. It's "a more elegant weapon for a more civilized time."
Install a program called spyware blaster. Ever since I installed it ad-aware and spybot haven't found one bit of spyware on my machine.
Active Directory allows an Administrator complete and total control over his/her domains, up to and including limiting the ability of other administrators to install/remove software. On my last assignment we used a combination of AD, RIS and scripting to monitor the computer states of those with local administrative rights (think executives here who incessantly whine about not being able to control their computers) so that any unauthorized changes to the allowed states were undone every 5 minutes. When I started the assignment the Cisco routers were reporting over a Gb of spyware-related traffic every day. We reduced that to less than 1Mb per month. MS SMS pretty much does the same thing, but if you know anything about scripting and batching you can accomplish just about everything that overpriced product does.
End of Line.
"Is there a tool that we could push out to all the PCs to basically do what anti-virus programs do and block these programs from running and clean them from the computer?"
Last I heard it's called linux.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
The best solution is the simplest, why do they have administrator access to install this stuff? While my environemnt isn't as large (only around 350 systems) I have almost no problems with spyware, because the average user doesn't have administrator access. The average user doesn't need administrator access, and if they do, you are doing something wrong.
"Information wants to be expensive" - Stewart Brand, the same guy who said "Information wants to be free"
I've deployed but yet to test McAfee VirusScan 8 includes spyware, adware, etc. under "Potentially unwanted program security". I use ePolicy Orchestrator which manages it plus much more.
parent modded as insightful? Come on, I know you guys love linux, but be realistic...there are plenty of very smart people running windows networks, as well as posting on the 'Microsoft Websites'.
Oh...wait..you're AC...which is even more reason to mod the parent post as troll. sigh.
Maybe not the best advise for 2K users.
Help fight continental drift.
In a truly large user environment, where there are 2000+ users, everyone doesn't have administrative access to their workstation. The admin assistants have their apps pre-installed, the call center people have theirs, all based off of a standard base install. No way could the IT department of a company that size manage to install by hand 2000+ workstations.
When you aren't allowed to install software on your computer, it's amazing how simple tech calls are...
User: Yes, I can't install this program my cousin Jeb sent me, can you come install it for me?
ITHelp: No.
U: But I don't have admin acce...
I: No. Installing non-approved software is against company policy.
Ticket closed, all done.
When only the techs have access to their computers, and the techs have to fix their own problems or face reformatting and reinstallation of the base image, there's relatively few problems with people actually installing their own software on their own workstations. U: OK.
This space for rent. Call 1-800-STEAK4U
Personally I've started to use a 3 pronged approach.
1) cut out user permissions on C: and other folders they don't need to access.
2) group policy (no you don't need active directory for this). You can set IE not to use 3rd party extensions. If the person doesn't need to get on the internet, or only does for a few sites, then set up the IE content control to block all sites. You can also set windows to only execute certain programs through windows explorer - although remember to allow mmc.exe for a backdoor.
3) Set the permissions on the users profile directory so they can't execute. If I recall correctly, users can still right click and assign the permissions again to execute, but most don't figure that out
4?) Mozilla Firefox on computers that don't need IE for any specific reason. You can also misconfigure the proxy to limit internet access.
Your employees probably don't need to install new software to get their work done. Don't let them run as administrator and you'll avoid spyware installations.
Just extend it to spyware writers.. and spammers... ;)
(Yes, I know spyware is a social issue... someone pays someone money to write spyware... start nuking THOSE companies and maybe we'd see a change...)
Based on the few responses I see so far, you're getting some good short-term advice. However, you might also want to start considering some long-term solutions.
Switching to MacOS X, Linux, or *BSD would, of course, reduce your risk, since Windows is a much bigger target than all those rest put together. I know this isn't terribly useful advice, but it's worth mentioning since our current software monoculture (the Windows monopoly) is just going to keep getting everyone in trouble.
Even better, companies should start considering moving away from client-centric computing and back to server-centric computing. High speed networks make "remote GUIs" very usable, and nobody can deny the benefits of only having to administrate a few large systems instead of thousands of small ones. (I'm one of those rare people who thinks companies will wake up to this fact eventually, and we'll see companies like Sun flourish again. Big systems are awfully cost effective when you factor in total cost of ownership.)
Before the flames begin, I already know my advice isn't useful in the short-term. I'm just trying to plant some seeds.
couldn't spyware be identified like a virus, quarrantined like a virus, expunged like a virus? So, you do have virus protection right? Are the (anti)-virus companies not providing signatures for them? I would ask them 'why not', then pick the companies that do. Oh, by the way, IANAA (I am not an administrator).
Just a thought before sleepy-time.
Coderz 4 Life
I manage over 4000+ desktops that exclusively run IE. And believe me, we have our share of stupid users.
Don't give them administrative priveleges.
We've never had one case of spyware except when a user had admin rights to their workstation. The only cases I've seen were users that somehow convinced the helpdesk that they "needed" admin rights for something, or, ironically enough, a developer, who all have access to their desktops.
agressiv
...to block bad things from installing themselves in to your system registry without your permission. Most of the nastiest spyware out there today gets its hooks into your system by writing values into your registry that allow it to start up whenever you reboot your computer. Ad Adware is free, but for a well-worth-it $20, Ad-Aware Plus comes with this feature. It has saved my bacon innnumerable times, though it can be a pain if you're installing video software (which loads like 12 different things into your registry, making you confirm each and every one). fyi, I don't have a personal stake in Ad-Aware or anything to gain from this advice, I just wanted to pass on my experience.
...because you never know who you're dealing with.
So you installed ad aware and spybot on most of 2000 systems. Did you pay the authors of those software any money? Maybe if you paid them some money they could help you roll out massive deployments or modify their software to suit you.
My guess is that like most companies you installed them without paying because you didn't have to fill out forms or break your budget. Now you are looking to pay somebody else for software after using their products for all this time.
Just doesn't seem fair.
evil is as evil does
I'd say killing all your employees would be the best way to get rid of spyware.
hi
I work for a pretty big company and they've used Cisco Security Agent. It's been kind of a pain in the a** because it monitors all execution on your computer and complains of any suspicious behavior, but they've been able to write some rules to get around that. http://www.cisco.com/en/US/products/sw/secursw/ps5 057/
It's pretty good because its not really like a virus detector that detects known spyware, it tries to watch for any suspicious behavior.
Many vulnerabilities in Windows aren't so much in Windows itself, but in IE (or Outlook, or ...). Some of those flaws can be avoided by not using IE, but some more may be avoided if you have IE not installed at all.
By default Windows doesn't allow IE to be uninstalled, and MS once claimed it would render Windows unusable. Tools found on above website prove otherwise. You can also use these to remove other unneeded Windows components.
Fully removing IE may have some drawbacks, but usuallly you can do fine without. If you have doubts, just try the preview version on a couple of boxes. There's a free utility for just removing IE from Windows 98 systems.
For best results, consider removing Windows as well...
I found this startup editor, that happens to be free and allows quick editing of the registry(not for the meek) and access to all start up services and programs.
----------
Why do I always get error code ura:A55h013?
No internet, no spyware.
It has been my experience that the larger the company, the less likely any individual has the business need to get on the Internet (specifically browsing). So you can stop a whole bunch of the rank and file getting all that stuff if you simply do not let them have access all.
Using images that do not have Internet Explorer icons visible helps a lot too.
I work at a small company, so spyware software is easy to update. Public humiliation at company meetings for those that get the stuff works wonders.... "Weather Bug" doesnt get downloaded twice if the perp is named at the meeting and has to go get lunch the next day.
IMO, the best way to kill pop-ups is to get rid of ActiveX (assuming you're running IE).
r entVersion\Internet
Settings\CodeBaseSearchPath
...> tags.
g et.dll>;<http://codecs.microsoft.com/isapi/ocget.d ll>
As others have/will post, get rid of IE, because other browsers don't have ActiveX.
If that's not possible, then can you configure IE to block all ActiveX - but that might start a user riot!
Or perhaps you could create a list of Administrator approved ActiveX components. IE seems to have some tools in the Admin Kit (IEAK) to control this. If the IEAK can't do it, then have a look at this registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur
Notice the keyword CODEBASE. By removing the keyword, you prevent ActiveX components from loading via the CODEBASE= keyword contained in HTML <OBJECT
A typical value for this string might be:
CODEBASE;<http://activex.microsoft.com/objects/oc
By removing CODEBASE; and/or substituting an internal URL maintained by your Admin, you can tightly control the URLs permitted for ActiveX loading.
I believe these steps could greatly reduce your Spyware problems.
If it is, the solution is simple:
- Obnoxious, nazi-like filtering at the proxy level.
If people want to surf or play games, suggest they seek another job.
Conformity is the jailer of freedom and enemy of growth. -JFK
I can't imagine that that majority of users would needs anything beyond the ability to run preinstalled software. Just change the policies for most users in Active Directory to revoke their software install privledges. Not only would you see a reduction in Spyware and virus outbreaks, but you'd see a heak of alot less of those stupid puppies running back and forth in the signatures of people's emails.
in addition to ad-aware and spybot we use spywareblaster by javacoolsoftware.com and a hosts file from blackviper.com.
So we have about 3000 laptops in our organization. Mostly Win2K Pro, some XP pro. Users only have power user rights, and we're so far behind on patching it's not even funny (can you say SP2 with 1 or 2 hotfixes?). Their machines are so overrun with Spyware that some web apps won't even run.
Due to our desktop team's negligence in patching (even though we own Altiris), I've been taking a hard look at Cisco's Secure Agent... It's really robust, but it complains about ANYTHING trying to do ANYTHING (think Zonealarm from hell), the Altiris client apparently needs 'self modifying code' to run, KlipFolio tries to make a network connection and all sorts of alarms go off, and most spyware still ends up installing anyway. I've been spending some time with Cisco, and I'm sure I'll be spending more, but this looks like an uphill battle the entire way.
Another 'solution' I'm looking at is the Check Point Integrity VPN client (Check Point sucked up Zone Labs last year)... Instead of my clients using traditional VPN software, we'd look at deploying an SSL-type-VPN with Integrity. Basically, everytime you make a VPN connection back to our office, your machine gets scanned for spyware (this would hold true for Internet kiosks as well as their home PCs and even corporate PCs)... Depending on how infuckted you are, you can define different access levels (keylogger = no access, normal cookie crap and a couple Browser Helper Objects, you get access to webmail only. You're clean? Congrats, you get the Intranet and network drive shares). It sounds great and all, but I can't say I've had time to see if the rubber meets the road. Read for yourself, more info here and here.
This is definitely a very interesting 'ask slashdot', and I'll be keeping my eye on the ideas presented.
Surprised no one has mentioned Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.ht ml).
It may not be able to completely prevent spyware, but it's free and it seems to do a pretty good job.
You need to stop them before they are able to install one peice of code on the system.
1). You can do a few things, namely locking the computers down using the Microsoft Policy Editor (as I am sure you are aware of it's existance).
2). Make sure that no user has administrative access, and that downloading / installing programs is not allowed - if they need programs, that is what their roaming profile is for.
3). Also keeping a image available of every system so that you can restore to a known good working point
4). Invest in a decent SAN and keep the roaming profiles there, ALL documents should be kept on the SAN / roaming profile so that re-imaging the computers when they do get things on them does not cause valuable work to be lost.
Perhaps suggest hiring a freelance IT guy who knows how to do such things if you do not, there are plenty here who need the work.
If you can get to the control panel, display settings, look in the C: drive, change IE options, etc, you're doing things wrong, it's not locked down enough.
Yes it's a pain for the users, but it does alleviate the potential of corporate espionage (don't beleive it doesn't exist, it most certainly does) and also spyware/adware/etc screwing up your computers.
These are just the basics but it's worked fine for the company I work for, after some user adjustments it's actually not that bad. The only thing you loose is the storage on the clients, and possibly a big investment in a SAN ranging from 1TB on up, which can be moderately expensive.
http://www.fsckin.com/
Do all the computers (or even most) really need to be able to install applications and such? Is that really neccessary? Lock them down! Lock them down TIGHT so the users can't install stuff. Lock out all internet access (through a proxy or something) for any computer/user that doesn't need it for their job. Use something like Ghost or DeepFreeze to restore computers nightly/weekly/whever there is a problem. That way, even if something DOES get installed, it will be gone when the computer is re-imaged over the LAN (overnight, perhaps).
And don't forget the users. Not only do they need to be educated, but put some kind of penalties on them for getting spyware installed. Give them one "warning", then after that start doing things. They lose internet (if possible), they get docked a little pay/vacation time/sick days, something. You'd obviously have to talk to a lawyer to make sure it's legal and such, but when it becomes the user's problem too, they'll care a lot more. Another great suggestion is this. Is there some kind of message of the day or builten board or something? Post the names of repeat offenders on it for a few days after each incedent. That kind of publicity can work too (again, make sure it's worded in a way that can't get you in trouble, check with the law guys).
Through removing unneccessary premissions, restoring the OS, and just plain old humiliation... you can make your spyware life easier.
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
You can't a posteriori secure systems that have never been designed with security in mind. It's a lost battle, no matter what ingeneous ideas you or your AV vendors may come up with. Get over it.
Or at least move the more sensitive systems to a heavily firewalled environment within your net. This means: blocking ALL incoming (obvious) AND outgoing (spyware wants to phone, mail, ... home) traffic; effectively isolating the subnets from the rest of the net. It's not always necessary to be hooked to the outside world. If departments can connect to your data center or servers, that's all they need. Nothing more, nothing less.
... or switch to more secure operating systems, be they MacOS, *BSD/Linux, Solaris, ..., or whatever else can provide a decent desktop and office apps for your company.
Good luck!
cpghost at Cordula's Web.
If your users must have windows workstations, set them up with thin clients via PXES. Have them connect to MS terminal servers (2003 ent preferred).
Single point of control (at least per server). Save insane ammounts of money.
-- Note: If you don't agree with me, don't bother replying. I won't read it.
Rather than answer your question, I'll address the problem.
You need to attack spyware and unwanted adware from multiple angles.
Before you begin: If possible, remove the IE icon and remove Outlook and Outlook express and install alternative products that are less of a target. Keep the Windows Update icon or automate this process.
Next, you need to educate your users. No, this won't stop them, but they'll at least have a clue when your anti-spyware software keeps their favorite new spyware-infested app from running.
Once your users are educated, you need prevention. This means perimeter firewalls that scan all traffic for known spyware. This might make for unacceptable performance, so this needs to be looked at carefully.
You need firewall software on each machine that will whitelist or blacklist certain activity, or raise alarms or lock the machine if things look suspicious.
You need network monitors that monitor internal traffic and raise alarms or isolate computers that are acting suspiciously.
If your network is of any size, partition it by department or other logical unit so if one person gets infected and it gets past the PC's firewall, the damage is contained to a department or group.
On each machine, run a realtime spyware-blocker program alongside your antivirus program.
Now for the cure. Sweep all your machines, particularly user-writable areas of servers, for infections on a regular basis. For volitile areas of servers and write-enabled network shares on workstations, hourly isn't too much, for other areas of servers and for workstations, daily or weekly may be enough. Have a ready-response plan in place in case anyone's computer is acting funky. Be ready to disconnect them from the network remotely or make sure they know how to pull the plug. Even better, if your routers and firewalls can do it, isolate the machine on its own "network" that just has access to "emergency tools" including all the software they need to disinfect their system and/or rebuild it.
Optionally, get legal involved and have a plan for collecting forensic data that you can turn over to the police. This is NOT optional if you are a bank, gambling site, or other likely target of organized criminals who will blackmail you.
Now, if you have a relatively small network behind a NAT firewall and block all unneeded external ports, and your users are well educated and don't use IE or Outlook or Outlook Express, these are probably overkill.
I didn't mention wireless networks and securing parts of networks used by guest users plugging in their laptops. If these apply to you, treat them as "outside the network" and make them come in through a VPN or something similar unless you are ABSOLUTELY certain no unfriendly users can connect. Speaking of VPNs, anyone coming in through a VPN is probably NOT running a box you manage, so they may already be infected. Treat them as such. Worse, they may be clean but be connected to other networks, and may become infected AFTER you've scanned them and found them clean.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I dont know what sort of consistancy you have amongst your pcs but If you have clumps of pcs that are all the same hardware you can always set up images. I love ghost because you can multicast out that image and if you get yourself a schedule to your reimaging you never have to worry about spyware because it tends to take a good solid week to really get to a computer. Of cource this is assuming that you are worried about the proformance issuse with spyware and not the privacy issues. Just my two cents.
Spyware Blaster
Similar to Spybot S&D's "Immunize" function, but even better and more expansive. (Spybot even mentions Spyware Blaster as a more comprehensive alternative to itself.) Spyware Blaster also sets IE's Security Settings to safer settings.
--- "Many of the truths we cling to depend greatly on our own point of view." ~ Ben Kenobi, 'Return of the Jedi'
Yeah, no kidding. Unless there's a reasonable way to run Windows Update without IE, then this would be an unacceptable solution.
So, the mere possibility of having problems with Linux in the mysterious future is enough of an argument to continue to put up with having problems with Windows now?
Howzabout you come up with a better excuse, hmm?
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
You need central computing. One (or few) big servers that kept clean and well managed. Then make the remote clients dumb, locked down, and netbooted if possible. So basically what you want is xterminals. That run a local citirix client to access winblows apps and your done. This doesnt fix the sales departement laptops, but then again nothing will, its best to put those on a rotating plan where sales guys drop off the laptop ever few weeks for prevenetive maintaince (wipe the machines, and install the latest updates). Also make sure you rotate the laptops, this prevents people sticking their own crap on them. USB keys can work well for storing local stuff, if vpn protected netshares are not available. In the end you will spend man years protecting invididual machines, while protecting one machine is much more feasable. In the 80s we ran away from network computing becouse networks were very unstable, slow. Now that ethernet is more reliable, and 100Mb or faster is the norm, network computing makes much more sense.
WinXP SP2 works best on Athlon 64 PCs, since SP2 enables support for the NX (No eXecute) bit, aka Data Execution Prevention, aka buffer overrun protection. Since that's the main vector for autonomous worms (versus the social engineering type), it'll cut your risk of infection quite a bit. Intel doesn't have it (yet) on their x86 CPUs.
And PowerNOW! power management will cut your company's electric bill quite a bit...
Just make sure you've dewormed your PC before installing SP2. It's liable to crash on bootup if you didn't, in which case boot in safe mode and kill the critter.
The reason why ignorant (I'm being kind) users are installing crapware in the first place is because they clicked on a pop-up window that led them to the crapware in the first place.
Because pop-ups can be disabled in Mozilla/Firefox, said users never see them and therefore are far less likely to install the crap.
Lets not forget the tradition of there being a new remote exploit discovered for IE every couple of weeks.
I do IT support in an academic environment and I've found that just hiding IE's presence on a system and replacing it with firefox means that I'm far less likely to have to deal with some security issue on that system again in the future.
My steps to securing an XP Box:
0) Optional: Install SP2 if possible/safe
1) Turn on the firewall
2) Set the system to auto-update
3) Install good AV software and set it to auto-update and scan the system each day
4) Get rid of IE
5) Get rid of MSN messenger
6) Cross your fingers
7) Pray
Optional:
8) Sacrifice Chicken
Lee
Muslim community leaders warn of backlash from tomorrow morning's terrorist attack.
The critical mass arguement is a strawman arguement. Educating users is a real solution. 50% isn't a passing grade, though, especially when your conclusion drops you down to 1 out of 3 :-)
It selectivly breaks activeX to prevent spyware. I use it on my only windows box. Failling that, I have linux on 2 systems and Mac OS X on the other two. And on my work box which is dual boot I have spywareblaster on the windows part.
I have no affiliation with them... but it's a great product.
m l
http://www.javacoolsoftware.com/spywareblaster.ht
Fast, and it does just that: blocks this crap from ever being installed. It's easy to use too.
I keep it installed on all my comps. And so far, it's proven to be very effective.
some kind of proxy helps prevent a lot. Proximitron is an easily configured proxy that helps cut down a LOT of the crap you run into.
;>).
that coupled with something like ad-aware + spybot + spysweeper (yes all three) works relatively well to keep most crap out. I recommend all three specifically because, having to remove spyware from 30ish computers a day as a Geek Squad Agent at Best Buy, I've discovered of the three, with the -1 day defintion updates, you still find things in each one that the other does not.
You might try finding some other spyware detection apps, NAV 2004/2005 detects and removes SOME (but to be quite honest, not as much as they claim), but the more the merrier. Easier? Less time consuming? Of course not, but removing as much as possible once a week usually leads to having to remove less daily (even in a corporate environment, this could be every 3 days instead of every single day, depending on how many porn/gambling addicts you guys have on your payroll
just my two scratched up green pennies.
This is where Privoxy (http://www.privoxy.org/) comes in; they don't even see those snappy ads!
I use it at my work on a few hundred computers in a school district. For some reason teachers refuse to use anything except IE, so I had to install SpywareBlaster to at least try and prevent it from being installed in the first place. From what I've seen, none of the computers I've installed it on have gotten any spyware.
The problem is that Microsoft still hasn't gotten around to making the system usable without running it as Adminstrator. Even if it does get to the point where there is spyware, it can't do nearly as much if it can't read/write anywhere to the drive that it wants.
Corporate recently switched us over to an ancient software package that requires administrative access, and it didn't take long before every last machine on the floor was spyware infested.
Virtually all spyware, in my experience, gets installed via ActiveX installers. People have gotten in the habit of closing popup windows as quickly as possible without even looking at them, and they end up agreeing to those without a moment's cognition.
I just made a regpatch that disabled ActiveX installers and locked down the security settings so the users couldn't change them. This, coupled with an explicit "DO NOT INSTALL SOFTWARE YOURSELF" policy has put a clamp on our problems.
Now you're ready to do a dd if=/dev/source_partition of=my_image.img
When you zip the resultant img, it will compress much more because, instead of random data on the unused parts of the drive, it's just a bunch of nulls.
When you go to restore, it will also uncompress quicker because, again, the empty space is just a bunch of nulls, instead of random bits.
This means you could do a quick restore from a compressed image off a cd-rom, even with the cd-rom's lower data transfer rate.
I have looked at webroot's product, and PestPatrol. Long story short, pest patrol is easier to deploy, easier to manage, and catches more stuff. The next version is going to be more friendly for larger networks (5,000+) but the current version is easy to manage from one management console.
My favorite part of the product is that you can clean your network without leaving your rolling chair.
Spybot and Adaware are great for single machines, but in large WAN/MAN/LAN sites they are to $$$.
PestPatrol.com also has the best information on the net about pests and on getting rid of scumware (free *as in beer* even if you do not buy the product).
Good luck!
---
Reader's note:
(My company sells PestPatrol so please take that into consideration. That being said, I have spent tons of time evaluating both products. They are the best two solutions for the managed network.)
I recommend just sticking a firewall up at the root of your network and blocking all traffic on port 80
..joke?
This is hilarious! Oh, and other advice to follow: "Don't drink water because thousands of people drown each year!"
If someone needs to access a site, have a system where they can request a site to be opened for access. Of course...you (as network admin) have final say.
Haaaaaa! My gut can hardly take it! Why should the admins waste time on securing the network when the admins can take their whole day manually relaying terabytes of internet data to workers? This is a great joke! I mean, then the admins can actually give permission to some perv at work when he needs to satisfy his daily allotment of porn! Keep the jokes comin!
Work is for work.
Wait a sec...you actually sound serious here...you mean...no
HAA HAA HAA! I can't believe someone thinks this is a solution! This is brilliant! Wait, this is more than brilliant! I mean, let's PAY MONEY for an internet connection and then block port 80 at the firewall so that no one can access the internet!
Oh wait...wait...I got the idea! How 'bout we also remove all the toilets from company bathrooms, so employees don't waste so much time reading the newspaper on the crapper!
Well, I would normally recommend Pest Patrol. They're located across the hall from me, I've had lunch with their CEO and co-founder, and it's an all around great product with some talented people behind it.
:)
Oh wait...CA bought them, the new v5 sucks, and everyone who worked hard to make it great is about to lose their job.
Ad-Aware
If you want to play hardball, let them approve silly stuff. Make sure there is a paper trail of who approved what, and make sure they take the heat for whatever problems are caused.
You need the support of your own management, and a evil+political person to prepare the very thorough document describing all the problems caused by $stupid_app. Don't be afraid to estimate costs incurred by the incident.
If management finds their own nuts in the wringer because of a dumb decision, they might not sign off so quickly next time.
(If you don't have the support of your own management, of course you're fucked anyway.)
The companies with hard-ass policies didn't get that way overnight, you need to demonstrate the problem in a way that even senior management can understand.
When someone's computer gets fucked up, just set a firewall on their IP so they can only access a list of websites, and block their email so they can't receive any executable attachments. That'll teach them.
There's no reason for most people to need access to the whole internet at work, other than work would really suck if I actually had to work instead of sitting around and reading Slashdot.
format c:
As for the long answer, The company I've been working for is facing the same issues. We've tried our best to use spybot and adaware, but as explained, they aren't working as well as they used to. We've seriously been sending out bootable cd's which reinstall the entire os and software packages we use. This is the second step. The first is educating the end user on not what to do, what not to click. I think most people are simply pressing 'yes' to just about everything that popsup on their computer screen, obviously contributing to the problem. I think until anti-spyware software improves (the next versions of major antivirus suites are going to help this), educating the end user and then finally just reinstalling everything is one of the only practical solutions.
Personally, I find the situtation appaling, but understanding the situation from a different prospective, it's actually a good thing. I'd much, much, much rather have commercial companies exploiting these bugs NOW then some 14 y/o or super ninja hax0r from North Korea exploiting these during some massive pearl harbor like attack.
Don't allow users to download or run activex and such. simple pimple control.
If I wrote something witty, you would say I stole it from somewhere.
Aggressive quarantining is great. I actually quarantine zip files - there's a small false positive rate, but the work caused retrieving the occasional quarantined file is minimal compared to the time and effort saved by blocking them.
;-)
I'm lucky enough to have most of my users either smart enough not to open suspicious attachments, or on computers where it just doesn't matter. The LTSP users, obviously, can do whatever they want - though they're encouraged to follow sensible security rules anyway, both at home and at work. Ditto the MacOS 9 users. For the win98 and XP users, it looks like the message got through on something like the eighteenth try for most of them, and they now tend to act fairly sensibly.
Given that I have the class of user who will call me and say "my email is broken" when somebody (one person) said they sent a message five minutes ago and it hasn't arrived yet, I wonder at your organisation's choice of staff
get a real Operating System that simply doesn't have these types of vulnerabilities. there must be some tipping point where the costs incurred from handling spyware/viruses/vulnerabilities over the course of YEARS will outweigh the cost of switching to something else. Linux, OS X, *bsd, Hell, even Solaris will eventually cost less than handling spyware. At least with Linux or *bsd (and possibly with Solaris) you can re-use your existing hardware. Seriously, I get so tired of the poor bastards stuck using Windows whining about all the crap they 'have' to put up with. It's just ridiculous.
Webroot has software the runs in the background and immediately blocks and removes spyware trying to install itself. It does a great job. I've also found that it gets rid of anything AdAware and SpyBot miss. I rarely run those two anymore - one scan w/ webroot is usually enough.
"Upon attaching the waterblock to my penis, I began to notice that I know nothing about computers." -- JRockway
Pest Patrol. There is a 30 day / 25-user trial available online. Pest Patrol They were recently purchased by Computer Associates, and this product will be rolled into their Secure Content Manager package in a year or so.
-sid
but they got bought by ComputerAssociates so wait and see if CA jacks up the price or screws up the product. I actually pay money for anti spyware and firewalls....the update services get to my cmputer before most new and variant infections do. it effectively removes exe's, reg settings and BHO's. But then I quit using IE a year ago so I don't know if there is much need for all that protection.
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
According to the presentation on security given by Cisco this may be the ultimate tool for larger environments: http://www.cisco.com/en/US/products/sw/secursw/ps5 057/index.html
It's supposed to lock machines down based upon master policies that you set centrally, and when laptop users reconnect after being 'out of the office' they can pull updates right off the central configuration. And it can be hidden from the end user.
The downside is that it comes from Cisco in a proprietary binary and that you usually have to get it from a channel, but if it works as advertised....
Setting permissions the way you do will help some but IE has enough holes to drive a truck through. It makes absolutely no difference if they are locked down or not. The fact that IE can be used to execute code makes you and your network vulnerable.
Being the good little MCSE that you are you probably jepordize your network by using IE on your own machine. Now imagine you hitting that nice little web page that joe hacker left on the internet that installs code on your machine and executes it, bingo that's right he has your entire network by the bag.
Got Code?
My solution is simple.
No user can write to the registry in the common spyware places. All access to write to the ares of the registry that is commonly attacked by spyware is removed by GPO. That is - no unapproved shell extensions, no BHO add access, no new Explorer bars, no ability to modify the Winsock32 stack, no install priveleges. All apps are deployed through GPOs. There is a white list of approved ActiveX in general and BHO controls.
Spyware usually requires BHO access to tap into IE. Removing that access is good. White list enables the ability to provide desirable BHOs, such as Google and Yahoo bars, as well as internally developed apps.
Leonid S. Knyshov
Find me on Quora
First off, you are going to have to start off clean. That means spending time at each workstation. There is no magic wand that will get rid of everything your machines have gotten. You got to use the tools that are available to start clean and then focus on prevention. Cleaning: Have someone set down at each workstation. Install and update ad-aware and spybot and start them running, clear temp internet files and cookies. Prevention: You are running a DNS server on your network, right? Put this list domains in your dns pointing to the loopback address: http://mvps.org/winhelp2002/hosts.txt Or, you can install the file on individual machines as a hosts file (as was intended by the authors of the list above) and "lock" the file with this http://www.mvps.org/winhelp2002/lockhost.bat Install Spybot and during installation, install the updates and use the "immunize" feature. Increase Internet Explorer security settings. Install Mozilla Firefox, make Qute theme the default. Right click on the Firefox icon on the desktop and quick launch bar and change the icon to the famous blue e icon. Change shortcut name from "Mozilla Firefox" to "Web Browser". Install the flash plugin and put the stupid "go" button on the tool bar. Make firefox the default browser when asked and also go into the windows control panel and make it the default again. (Windows Update when lauched from the start menu will still launch in IE.) Tell users not to download and install anything from the internet because it will break their computer. If you don't tell them, they won't know. Good luck!
A poor joke at that..
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
Now you're ready to do a dd if=/dev/source_partition of=my_image.img
When you zip the resultant img, it will compress much more because, instead of random data on the unused parts of the drive, it's just a bunch of nulls.
When you go to restore, it will also uncompress quicker because, again, the empty space is just a bunch of nulls, instead of random bits.
no!
when you say "compress" and "uncompress", yes... gzip or compress will run faster, but dd doesn't do "compress" and "uncompress". It writes all the bytes, no matter what is in them. To speed up the dd, make a smaller image, not a larger one with lots of zeros.
You mean like linux?
I have found for most industrial/office application the chicken can be substituted with gas station fried chicken giblets. It is crucial they come from a gas station and not some repudable source for food. The source where you can find the best are along interstate highways in the rural south.
The optimum cerimony changes involve using the grease form the paper bag in leu of the standard chicken blood and doing all requisit latin chanting with a strong nasal drawl
I used to have a cool sig, back when I cared
Set up your internet proxy to block executable files. Also scripty files. Whilst you're at it, try getting your mail server to do similar things. Set up a dial up machine in the IT department for such things that are required to do the job. As for deployment between campuses, try setting up a VPN that would ignore the executeable ban.
I have found such policies to be a good thing in administering a similar sized environment to you. People will bitch and complain that they can't get some stuff, but what they are really blustering about is that they cannot download their favorite internet app. Explain that any work related executable can be downloaded by logging a job with your helpdesk, and that objection goes away, as does a whole bunch of complaints.
I'd have thought this was obvious.
A sig is placed here
To display how futile
English Haiku is
Now, I'm no Linux zealot (in fact, I develop and sell Windows software) but I have had several years experience admin'ing a student-run computer lab and I have learned a few things about spyware.
We had Windows 2000 machines installed, and for the longest time keeping them up to date and users locked down to regular user privileges prevented the spread of nasties. Individual accounts got spyware and viruses, but it didn't spread across the machine.
Then over the past year and a bit I noticed that even though I kept the machine up to date, spyware did seem to "leak" from one user's account to elsewhere on the system. I do keep the systems patched, but sometimes I am as late as a week applying a fix. Let's face it, I have better things to do and I'm not paid to look after the lab.
But here's what I recently did. We set up our beefy Linux server (which already acted as the primary domain controller for the NT domain, with samba) as an XDMCP capable server. This means that any UNIX (or windows) station can login into the server as a dumb terminal, using XDMCP. This is done easily with Xfree/X.org with the command "X -query hostname"
So now we still have Windows 2000 and Windows XP stations, which are clean at the moment... but I suspect that the Linux workstations are going to fare better over time. After all, they're dumb terminals to the Linux server. People can still run Mozilla Firefox, OpenOffice which takes care of 99% of our users' activities. People are happy, I am happy, and we're re-using old equipment (graphical terminals) that would otherwise be occupying landfill space.
Sometimes management is just clueless and will buckle to user's demands to allow them ot have admin access. Sometimes, they tun specialised programs that will not NOT run properly without admin. Espically in the case of engineering apps, there sometimes is no alternative, this is the only thing that does what it does.
I agree as a general princliple: Users should have the minimum amount of access they need to do their job. Unfortunately, that is sometimes full administrative access.
I use steadfast. Sounds a lot like the other solutions, but I like mine best as I can select multiple "unfrozen" directories, which makes it better for programs that get patched a lot. No network overhead.
Often wrong but never in doubt.
I am Jack9.
Everyone knows me.
It's not a perfect solution, but if you can disable IE on your computers and force your employees to use Firefox or Opera, you'll cut down on a lot of the spyware vulnerability.
You can also force everyone to store everything on a network drive. That way, if someone's workstation gets too screwed up, you can just replace it and have them keep working.
It's good to use your head, but not as a battering ram.
If you read the post (since you quoted it), you can see that I then said "When you zip the resultant img....:"
However, one thing I didn't mention, that also speeds up the whole process, is that the ext3 file system will also handle large files with lots of nulls by NOT recording the large chunks of null bytes, just a marker. I tested this by creating a 1.7T (that's terabyte) file on a 40 gig partition. Lots of space left over.
My point on the smaller compressed image is that it's quicker to read a smaller image and uncompress it (especially one filled with nulls, which compress nicely), than to read a larger image filled with large stretches of random data.
Remember how stacker was able to do this way back when and actually increased performance? Still holds true today.
Depending on your budget, try Encase Enterprise by Guidance Software. EnCase is the forensic program/application used by the US Govt and also by most of local and foreign law enforcement investigators as well.
The Enterprise version takes forsensics a step further, utlizing a client listener app which runs on the desktop and after establishing a baseline of permitted apps, can be used to detect and counter malicious apps running on the LAN and WAN as well as imaging drives realtime for investigative purposes.
Investigations have been performed from halfway around the world with the click of a button. Another selling point to the PHB's is that it can be used for HR investigations as well, making it an easy ROI for most companies.
http://www.encase.com/
Most of the bright windows admins on here are going to tell you to use permissions to lock down the workstations and take machine admin rights from the users. Now you have to sit back and ask yourself is that really going to help? Yes it is probably going to help but they are really luring themselves into a false sense of security. Now ask yourself how many of the windows admins that you know use IE? That right most if not all of them use IE. So now ask yourself what does that got to do with anything? Well if IE can execute code easily at user level privs then what happens when that stupid windows admin browses to a page containing malicious code? That's right the worm, virus, trojan has full admin privs.
What do you do to avoid catching the flu? That's right you get a flu shot. So do yourself a favor and get a flu shot, install mozilla on the clients everyone will thank you for it anyhow.
Got Code?
The best way is always prevention, 1. If they have to use IE we make the default ZONE setting for Internet High and Medium for everything else including local zone and trusted. We have yet to find (Business) applications that this breaks. Yet no pop-ups no spyware - works as well as firefox minus tabs. They will have to add banking and other ActiveX/Java/Download type application sites to the trusted zone. Any MS box I use this is the first thing I setup. (assumming I can't install Firefox) 2. Patch Management (Many Spyware and tojens use exploits to install.) Patchlink is good multi-platform choice. www.patchlink.com but there are many others. 3. Web Scanning solution. (e.g, ISS, Mcafee, others?) Scan for ActiveX and Java Exploits on Web traffic. 4. PestPatrol now has a solution that does not require a client. I asume others will have simular solutions soon if they already don't
I work for a company that provides system and network adminsitration for small- to medium-sized businesses (5 to 50 workstations): law firms, accountants, car dealerships, home design shops, retail, food service...
Whenever possible, I try to suggest alternatives (OS X or Linux, especially on the server side). Invariably, there is some application that is integral to the operation of the business that can only run on Win32 platforms.
For the law firms, it's scheduling and time billing applications like Amicus, Abacus Law, Time and Chaos, and Timeslips. For the design shops, it's their specialized CAD programs. The car dealerships could have transitioned to Linux/BSD/OS X, since 75% of their business computing applications are run over terminal sessions to an ADP server, but the rest of their business apps are web based (ActiveX and Adobe Acrobat being the dealbreakers).
For just about all, the books are kept on Quickbooks/Quicken or Peachtree, and they have to maintain compatibility with their outside accounting firms (which means no GNUCash, even if it was a feature-for-feature match).
I'd love to get the car salesmen (who are bored and spend too much time surfing pr0n sites) off of Win32 and on to a less vulnerable platform, but it ain't gonna happen anytime soon.
As for the Microsoft hegemony, the ISVs are willing accomplices (does Intuit have a Linux product?). Quoth the monkeyboy: "Developers, developers, developers, developers, developers!".
k.
"In spite of everything, I still believe that people are really good at heart." - Anne Frank
If businesses used your logic, there would be no PCs. We would still all be running green screens off of mainframes. It is those terrible users that found they could do thier job 5 times faster by going around IT and running apps on a 'toy' (PC) that has gotten us as far as we are. At least 2/3 of the Administrators that I have run into are not competent, and are simply not well versed enough in business or technology to determine what software is necessary and what is not. The comment about Kinko's is a perfect example. Remember the 'Shatter' attack? If you had access to the machine as any user, you could get admin access. The Kinko's Admins are probably thinking that they don't want the huge PR problem that happens the next time a similar hole is found, and some script kiddie grabs copies of confidential documents for weeks or months before the attack is made public and a fix is released. SNL's 'Nick Burns' is not far from reality.
Maybe I'm just new to this game, but we tried locking down users and ran into so many problems going to users machines to fix issues and having to log out and back in as Admin, fix a simple issue, log out of Admin and back into the user that it became more of a hastle than dealing with the spyware.
Why doesn't Windows have a quick "root" solution? Why can't you quickly and easily elevate a user to admin to fix problems and then demote them back to normal users. Am I missing something?
P.S. I know people are going to ask...give us an example. Well, I had a user we locked down (because this user LOVES smiley face cursors) and we had nothing but problems with her printer. We tried regular user (which locks down printer adjustments) and we even tried Power User which allows a user to manage their printers, both created a lot of issues with printing. Sometimes it would print just one page, other times it wouldn't print anything. When we gave the user full admin rights, all the printing problems went away. We've had similar experiences with network issues and troubleshooting. And quite frankly, regardless of the problem, not being able to go into control panel, or internet explorer options or the registry to make adjustments, or remote control a users machine, all make our job more of a headache than leaving them with admin rights. Correct me where I'm wrong here folks. If there was a "root" option where we could just elevate to admin, make changes and fixes, and demote I could handle working through all the various problems we have had with locking down machines.
In analyzing the problem, start at the source. As a consultant, I support an equally large user base. While there are a few machines running the MicrosoftOS, the majority of my installed base are running MacOS or some other version of *NIX. Execpt for those few Windows boxes, I rarely see any sort of major problem resulting from web browsing. Email is an entirely different story.
wherever I go, there I am.
127.0.0.1
REALLY?
I have a coworker who used to swear by windows, heck I used to swear by windows (ah the days ...) but as soon as these "very smart people" are introduced to linux/un*x they realize what they have been missing. (Security)
Now before you go modding me as a troll ... I do concede that Windows is used by people because of the superior interface, but even that is being erroded by the likes of KDE/GNOME/XFCE4 ... I mean I get frustrated when I have to use a windows box because of the LACK of features..., but I know that many smart people do use windows, and I am simply saying it is because they haven't been properly introduced to the alternatives.
This is just sig!
by patches on the squid proxy to work as a content filter (some existing patches with some custom filter modules). By disallowing the User-Agent "MSIE" we could very easy identify evil traffic (hinding behind that browser). By forbidding downloads of problematic content we could find one remaining gator instance. Some perl scripts crawl over the filter logs and pipe cought traffic to a virus scanner for thread analysis. Since then we did not have any further incident nor any left network anomaly.
If a user has to make downloads that the filter rejects he can ssh/telnet to a box and use wget to manually download stuff.
Some domains (windowsupdate...) are not filtered to allow online updates.
If anybody is interested I can make the patches public available (but it's working ontop of existing patches, I only inserted the exe/zip filters).
Cheers
Comment removed based on user account deletion
A normal antivirus application will do the job just fine. Since spyware and worms is essentially the same beasts an antivirus application already has the mechanism for discovering and removing the spyware and the register keys.
There is a reason as to why the Antivirus programs dont include av definitions for spyware. The insane US court system has the vendors sitting on their hands in fear of getting sued out of the map by some greedy SCO-like spyware vendor. Because some spyware is "legit" (as in the user clicked on something before the install) this is a misty area legally.
HTTP/1.1 400
I've thrown Knoppix in many machines, as experiments, and found the users more than willing to use it, and even able, usually.
You claim there is no Microsoft Word for Linux. Go look at Abiword or KWord, in KOffice; they work perfectly for me.
You claim there is no Access for Linux. Google for mdbtools, you'll find all the tools you need for moving from MDB to a reasonable database format.
You claim Visual Basic does not work under Linux. First, why the hell are you using Visual Basic on production systems? Second, WINE does Visual Basic rather well, last I checked, given the various VB controls.
You claim the cost of changing hardware is too high. I have never had to replace any of my hardware because it was not supported under Linux. Never. Whenever a machine did not have a driver, it was always because the hardware was new, and within a month or two, drivers appeared.
I've never seen any users go ballistic about how the text or "start" buttons look under Linux.
I don't know what environment you're in, but in my world, all Linux needs is to be given a chance.
It's only an insult if it's not true.
You know guys... you wouldn't have jobs figuring out shit like: "I need a solution to out Company X Spyware/Adware/Virus problems." if you all had Macs. Or even Linux of one variant or the other. I'm just saying that you all should be glad you still have stuck-up and ignorant/arrogant bosses that are still brain-fried into thinking that Windows is the answer.
Folks create irritating things like spyware because there's a market for it because MS allows holes to exist.
I personally don't let any of my computers cater to advertisements short of banner ads.
Corporations need to see that there is a huge amount of gain to be had from NOT running windows on every fucking workstation from here to the server closet. The amount of money and time saved would blow most CEOs away.
Computers are not the problem at all. It's Microsoft.
I got nothin'.
This post on BugTraq suggests that Mozilla and Firefox will have security problems when they get popular enough. The evidence is pretty compelling, too. Current testing procedures for Mozilla are obviously inadequate.
Whoever corrects a mocker invites insult;
whoever rebukes a wicked man incurs abuse.
--Proverbs 9:7
Keep it civil! There's nothing to be gained by accusing people of being an MCSE.
Although you make a salient point - use of IE at all is a risk in any IT organisation.
To an extent locking down a workstation is effective when using IE - most (not all) spyware is derived from popups and click-here's that launch as a result of the very flawed design of MSIE. Locking down the WINNT or Windows folder will prevent these spyware articles from installing correctly. This does offer a good degree of protection from Bonzi Buddy.
Of course, web browsing admins are quite often the cause of many disasters in I/T. I remember a helldesk employee of ours once went to a russian website and had our whole corporate link running a DOS attack on someone we didn't even know within hours.
I am government man, come from the government. The government has sent me. -- G.I.R.
block access to the internet -nt-
I manage an active directory domain and I've taken care of the major offenders through group policy.
First, I attempt to download the spyware much like any user would. When I get the prompt asking me to approve this installation, I view the certificate that it was signed with and save the certicate to the file.
Next, I add that certificate to the list of banned certicates domain wide. It works great and fixes the problem of people installing spyware without knowing it.
Install VNC over the network (or other comparable remote-control software; VNC is free and GPLed) and put HijackThis on a read-only network share.
If the user reports problems, VNC into the machine, run HijackThis as root, and remove what you need to.
Running as User or Power User will help, but it won't stop everything.
Try adding the MVP Hosts list to the firewall's shit-site blocker.
If you can, put SpywareBlaster into your image set for the machines you clone and force a once-a-year reclone with updates.
There's also the simple idea of not letting your users use IE. Force them to use Firefox, Opera - anything but IE.
Striking fear in the authors of godawful fanfiction, I am here, appearing in darkness, Tuxedo Jack!
But how about just locking the systems down? I worked for a small business (I know that doesn't really translate to 2000 users) and we (I) used GS98 to secure our Windows 98 clients (again, I know, they are out of business and no-one should be using 98 by now anyway). This worked pretty good, we had desk staff sitting on them at least 17 hours a day 365 days a year, checking their email, everything you don't want them to do. But they couldn't access settings (no, not even custom desktops, I'm *that* mean) and they couldn't install software on their own.
;)
It made a little more work for me. There was no walking them through the steps to fix something over the phone (almost any administrative stuff required a password). But every time I had to come by and do work on one of the pc's I was amazed at..well how good they still worked.
The software I was using had multiple levels of admin login, so I could even give the ding-bat managers "special" passwords with a few extra abilities (not as if they'd ever actually configure/fix anything, but it made them feel better).
Anyhow, there must be something like this with Windows XP (or for it) and I don't see any reason that wouldn't fix 99% of your problems.
Since I'm currently a networking student I'd be really curious what people in industry really do do (I'm not sure we'll actually be covering that in my education!).
For the record, I know circumventing GS98 is trivial. I wouldn't have deployed it if I didn't try breaking it first myself (simplest way was to rename an executable to any application on your allowed list). But that *never* came up with my users.
Quack, quack.
"Is there a tool that we could push out to all the PCs to basically do what anti-virus programs do and block these programs from running and clean them from the computer?"
;-)
There's something even better, which will never get these problems in the first place: Linux
Software that demands an insecure environment should not be installed. Period.
I am pretty sure that Palm (or PalmOne or whatever their name is this week) wul be more than willing to change how their apps work if security conscious WIndows SAs would demand this fixed.
But there you have an oxymoron, no wonder companies can get away with nonsense like this (not in the UNIX world, sometimes we get applications with lax security and it is sent back to the manufacuter. Normally things get fixed very quickly).
IANAL but write like a drunk one.
That is the bulshitiest excuse in the history of mankind.
.
You explain to the suit that you can't install the software because that would make your network a virus/spyware testbed.
If the suit inisist have him put it in writting exhonerating you from any responsibility and financial damage the company may suffer
It always amazes me the deference that some people have for somebody wearing a suit and with an important sounding job description.
Your job is to make that network safe, in spite of the owners of the company themselves if necessary.
IANAL but write like a drunk one.
Comment removed based on user account deletion
.... ACs start at -1, so that means people have taken notice and are actually modding it up.
:-P
Did you read the FAQ
IANAL but write like a drunk one.
So instead of working through the system to get changes effected. Most Americans try the "I'm a rebel" approach to solving their problems.
Or... think of it as The Spirit Of Ingenuity, the Pioneer Spirit, blah, blah. All those thing that made, and continue to make, restless people leave The Old Country, and make better lives for themselves here.
No wonder people feel uneasy around your country.
Because the people still living in The Old Country are the timid ones, or satisfied with the status quo?
"I don't know, therefore Aliens" Wafflebox1
The owner of a large structure notices it is having problems. He asks for advice and gets it in truckloads. "Fix this, change that!" "No," say others, "Change this, fix that and fold here!" The advice is plentitudinously ponderous and most precisely proportional to the problem.
Seeing an old man chuckling at the circus of advisors with their advisements , the owner asks him what is the source of his amusement.
"You refuse to accept what you see: The structure is built of sticks held together with mud, it is built on a sand foundation, the bedrock below is cracked basalt laying atop an active fault. So you built a pretty facade on it. Take your lesson, cut your loses and move on."
The owner looks at the structure, looks at all the advising advisors, looks again at the old man, shakes his head and sighs: He buys a cherry coke and takes a walk on the beach.
Everything in the Universe sucks: It's the law!
5) http://store.apple.com
Some people mentioned dumping IE, although I second that recommendation for eliminating most trojans/backdoors out there in the wild, I would not recommend to do that for having to deal with spyware.
The problem is more fundamental, spyware per se is just a small program which in most cases is installed by the user, most of the times it comes with some kind of shareware which gives you full access if you install the spyware, in some cases it is installed by an exploit.
Locking down the IE only helps you in the second case.
What you have to do is to sandbox the user, Windows can do that, but that means that the user basically has no rights of program installs whatsoever. If you can justify that go ahead.
The other solution is to go with a system where spyware is not rampant as in Windows. Macs, Linux, BSD come to my mind, but most users would feel unhappy about it probably.
The third one is to keep the data on a separate disk/networked computer and simply overwrite the users installation on a regular base.
None of these solutions would make the user happy because you take the power away from them. Anyway getting more and more antivirus scanners or anti spyware tools is like doctoring on the symptoms and not the cause. In case of spyware it is using a lousy hole ridden browser and users installing everything left and right on their workplace machines without knowing what could happen.
I was with you right up until you said penalties. How many work environments will let the IT department waste time and valuable (well, sometimes) resources with petty penalties? I'm all for limiting what a user can do, after that its just them and god (and their boss of course). :)
Quack, quack.
SpywareGuard does exactly what you require. It scans software when you open it and stops it from mucking about with obvious spyware related registery keys.
To their credit, they did only originals, I understand. Seven years or so after Bob divorced his *babe* wife, and I'd lost touch with both of them, I'd gotten together with her and we agreed that the band sucked...especially after she heard my band.
No pointers to that, as we are an acoustic cover trio, doing CSN&Y, S&G, Eagles, Jackson Browne, Springsteen, all old fart music (which we are)
It sounds like your band is going to have some acoustic flavor to it? ;-))
db
Cig:
ôô
My mod points expired yesterday, this post should be +5, Informative.
Palm's software should be easier to set up for non-Admin users, but it can be done.
STOP MISUSING APOSTROPHES, YOU MORONS!!!
Rather than starting flame wars or arguments over permissions...I'll endeavour to answer the actual question. First, Spybot Search and Destroy now contains Tea Timer, which will actually prevent installation of spyware components and warn of incoming spyware. This is at least worth mentioning.
Second, Java Cool Software has both Spyware Guard and Spyware Blaster. Both are free (at least for personal use), and both do a pretty good job of preventing the installation of spyware components. Spyware Blaster is specialized for blacklisting bad Active X controls and the like, but also has protection for Firefox vulnerabilities. Spyware Guard is a background guard to warn of incoming spyware and prevent some installations.
-Jay
Wow. What a predictable post. And you bagged 3 points for that crap?
problem goes away.
In the latest version of Kaspersky Anti-Virus, you can choose to download "Extended databases", which not only detects viruses, but also malware, spyware, adware and the likes. Since it is a realtime scanner, it should prevent those programs from running.
Wanna bet? Remember Blaster, Slammer / SQL Worm? How much did we lose? S.Korea was knocked off the 'Net.
Even a feather in the hands of a Dumb user is still dangerous ! He may tickle himself to death.
LAN Admins lock down systems BECAUSE they need to protect you from yourself. or better yet they need to protect the company investment in you from going waste because you installed some Anna.K screensaver and end up saying "Doh!"
As long as users like you are dumb and stupid, you will continue to be treated like kids: Childproof everything.
"Doing what i can, with what i have." ~ Burt Gummer
I know that it's not an easy answer but I'm amazed that companies with well paid, knowledgeble staff still insist on buying second hand cars of the same dealer they bought the first lemon off, leaking oil and all.
;-).
The fundamental problem is not the spyware or virus infections, it's the platform allowing it in the first place. I disagree with locking down users - that doesn't always work for the company. Simple privilege escalation ON DEMAND (i.e. not running high by default) is the only way to contain this mess, and that ain't Windows. Anyone using KDE has now gotten used to the fact that they don't need to run teh system as root to make it do anythign they want, including installing new code. Why? Because privilege escalation is well implemented, you know when the system needs more access.
Add training, remove Microsoft, zap 95% or more of the current problems, and that's without mentioning improved stability and much lower license risks (also kinda nukes FAST/BSA's business model but I must admit that doesn't make me feel sorry somehow
Windows: the time for excuses has passed.
Insert
Any time you have to deal with a technical issue that involves user interaction as a component of success, you will need to propose to management, a policy that bolsters the behavioral aspect of the solution; Users need to be made, by management, to have some degree of awareness and culpability for virus and spyware infections.
"Frequent-fires" users will be compelled to learn some digital hygine.
Most large and medium-sized businesses operating today have some sort of policy on sexual harassment/hostile workplace/conflict of interest/Internet and PC usage policy, etc. Generally, users understand that these policies are for eveyone's protection - With ~2000 PCs in the mix... This is definately where you should start... Policy Covers Your Ass.
On the technical side:
1. Router logs, intrusion detection, and sniffing as trending tools to show your boss what's up with traffic.
2. Good, solid desktop images/ app pushes/ GPO's - harden the Registry, Security Policy, individual apps as necessary. Beyond that - when a machine is sufficiently infected, it should be replaced with a re-imaged one --- it can be faster than cleaning, and is a hell of a lot more complete. This also reinforces the notion of users not storing important things locally.
3. Helpdesk tracking software - What users/machines/network segments are continually having the same problems? Does Human Resources need to be the next step for some people?
4. Desktop management software - provide your boss with stats on just what kind of crap is showing up.
5. If you must use/develop software that may enable or even contain spyware, you have a particularly tricky problem that concerns both company policy and IT best practices.
Of course, you know your boss, I don't... How you implement these suggestions is different for everyone. To some, it may seem draconian, to others, quite lax.... To some, budgets will not allow the necessary attention - for others, this kind of focus could perhaps justify a budget increase.
Oh... And consider the broswer's role in the business - what is an acceptable $$ loss for a preventable issue? Have you already spent that?
My $.02
Please familiarize yourself with the Immunize feature of Spybot Search and Destroy. Its quite useful.
Yes it's a pain for the users, but it does alleviate the potential of corporate espionage (don't beleive it doesn't exist, it most certainly does) and also spyware/adware/etc screwing up your computers.
So does cutting off the electricity. Or how about firing everybody and shutting down the company entirely? Then we'll finally all be safe.
sudo ergo sum
I agree that MCSE was a bad name during the NT4 days where you read the books, get a copy of Transcenders and download braindumps and you could go and get your cert without ever installing the OS.
But right now I am updating mine for 2003 and they have really done a lot to cutting down on the above. It seems that they have gone through and made the questions hard enough that you really need to know how it works. Which is quite refreshing.
4). Invest in a decent SAN and keep the roaming profiles there, ALL documents should be kept on the SAN / roaming profile so that re-imaging the computers when they do get things on them does not cause valuable work to be lost.
that is great for a single office. it's a nightmare for other offices.
ever try using a company system at the end of a 512K pipe in an office of 3 people?
you just made them all useless.
now have that office of 30 at the end of a T1 use it...
they are also useless now.
a SAN a BCD needs to be installed in every office with over 13 people and a full T1 for EVERY office.
but corperate NEVER EVER does things like this.
proper netowrk engineering that ENSURES high performance for the end users is more important than saving a few extra bucks.
Do not look at laser with remaining good eye.
Is another client side app to maintain on windows.
Any proxy that's worth a shit can do this for you.
It's very simple, really. Set up your users as a limited user account, instead of an Administrator on the machine. Problem solved. No need for Ad-aware, spybot, or any of those machines. The user will not be able to write to the registry (HKLM), or write to system directories. All of the most common spyware breaks when the user is running as a limited user.
All you need to do is create a policy for software installation. Probably only allow tech people to install, so their accounts would be administrator across the domain.
...Spyware removes YOU!
How about not giving all of your users admin rights? It works, I know.
Actually, the notes web interface works fine with firefox (at least for email, I don't play with the calendar & such via web).
Most of the suggestions mentioned here are some form of "lock down the PC." That is a very good solution, but only if you're using XP or 2000. We have about 300 PCs running 98se and they are most of our problem. We have to do this becuase some of our apps don't run properly (or at all) on XP. In fact, we've got one app that runs only on OS/2 Warp! No spyware on that one.
To further complicate the situation, some of our apps are web interface apps with ActiveX controls which require IE to run. Therefore we can't just run firefox or something.
If we just reimaged the PCs every night, we'd hear a hellacious uproar from people who have things saved on their local machines. You can't change several years of corporate culture overnight. Also, think of the people who don't know what a folder or directory is. They don't know the difference between a network drive and their local drive.
There are quite a few solutions that would work after a year or more of re-education, redeployment, restructuring, etc. but this is not an option for us right now. What we REALLY need is a piece of software that runs the way Symantec AntiVirus Corporate does: allowing us to push updates on a regular basis from an internal server, scan silently, report back to the central server any problems found, block install attempts, etc. Right now nothing we have found will reliably remove and prevent spyware/adware. Even Ad-Aware and SpyBot (the two we most commonly use) do not remove all of the popups, not even right after the new definitions have been released. There is a HUGE market for someone to step up and take care of this kind of thing, but nobody seems to be able or willing to do it.
Firefox
No, really, the majority of the spyware that comes in is through the web and through good old IE. I've been imploring my users to make the switch, and the ones that have have found less spyware related problems.
Browsing the comments I saw a lot about how to stop spyware at the corporate level. My problem is at home. I'm the admin for my computer and I don't plan on making myself a limited account and try to make everything work. What options do I have? Settings/Changing Windows Policy/Software?
since you have spybot search & destroy installed. it's a good idea to get the TEA-Timer running, when a spyware tries to change your windows registry, then it will popup a window asking you if you wanna do the change or not. another way you can avoid the spyware! DO NOT VISIT THE PORN AND CRACK SITES! maybe using a Linux desktop is a better idea.
Even funnier is putting that 1.7 terabyte file onto a floppy formatted with ext2 and giving it to someone who uses linux (that didn't know about "sparse" files) and seeing the look on their face when they see the file's size.
http://pivx.com/qwikfix/
Qwik-Fix Pro is not a spyware killer but it is enterprise level and do protect against all of the browser based vulnerabilities (among others) that are being used to forcefully install spyware. It is a perfect combo together with a spyware killer such as The Cleaner from Moosoft (http://www.moosoft.com/) or Lavasoft Ad-Aware (http://www.lavasoftusa.com/).
The protection against IE vulnerabilities was implemented in September 2003 and has since protected against all command execution vulnerabilities discovered since then without a need for updates. These very improvements to IE were subsequently included by Microsoft in Windows XP Service Pack 2, though the implementation Microsoft choose failed to protect against several vulnerabilities discovered since then such as the Drag'n'Drop vulnerability which Qwik-Fix Pro protected against.
The posts here have been very infomative, a good read and /. at its best but they leave me wondering...
All most all the posts concern MS OS'es and the ways to administer MS networks. Even at home, I run a mix of Mac [OS X 10.2] XP pro, Win2K and, when the lap top comes home, ME. Uniform policy administration and enforcement is not an option now and wait until I plug my Linux or BSD box into the hub. When I run PestPatrol on the ms boxes for the first time, I find all kinds of crap...literally hundreds of corruptions from registry settings to exe's. After a clean-out and set up of the PP monitors, things stay pretty clean. All this talk of "stupid users" and how to protect them from their own carelessness has validity in a business environment but a home network with kids who like avatars and blinking shortcuts and drag in downloads to install without so much as asking me "I found this rabid kitten, can I keep it, Please!" leaves no room for rigor: you just HAVE to approach the problem from the "cure" direction rather than the "prevention" direction.
And BTW, are there any cheap, reliable spyware cleaners for Linux [or are any needed;^]
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
I was at a conference about 4 months ago, and a representative from Trend Micro was there. He stated that they already have implemented some spyware detection in their Enterprise Desktop Product, and they were going to be focusing more on it in the near future. Of course, those guys will tell you anything to get a sale, but it might be worth checking out.
Turn off the stupid box that pops up on top of whatever someone's doing and interprets the next "y" or "Enter" as an approval to open the email.
...
.... I went disgrunled for a while referring to them as the "TS Department -- because that's the answer you'll get" after I just happened to luck out and get an honest answer from a new Help Desk person -- I found I had been getting Word VBA errors for NINE MONTHS on a special assigned task, "oh, you're an ordinary user and you don't have the whole VBA package and help installed, oops, I'm new here, I wasn't supposed to tell you that ..."
Anyone who types fast where I work -- there are still a few of us -- and who hasn't turned that Outlook option off will often have email open unexpectedly. And, when it's a piece of crap that got past the filter, it'll do something awful.
Email's supposed to be async anyhow; mine now usually has an Out of Office message saying NO, I'm HERE, but I'm BUSY
Oh, and if you could keep that stupid OOO from replying to spammers (provint it's a good address) you'll be doing better than my office's The-Department-Formerly-Known-As-Tech Services.
As to locking things down -- yes, but
-- I know why the caged bird sings. -- Angelou
Hi.. Newbie poster here.. have you tried spywareblaster it's a program we use on our Windows based machines and find that it will limit the amount of spyware that gets installed. It can be found at http://www.javacoolsoftware.com/spywareblaster.htm l
RevMark
Also, make sure you disable windows help.
Help has little things in it that say "open xyz for me" where xyz is add/remove programs, or whatever.
Also, getting to the C: is surpisingly easy. If you go to the properties of a shortcut, and click find target, typically you're in. You just need to find the right shortcut.
They both work even when the items they open up to (xyz, and c:) are disabled with policy editor.
I work for a large company, and their view is that viruses are only worthy of attention when we are hit by them. Any time we dodge a bullet, that's considered doing our job, and we get no special credit for it.
When something hits us (primarily because we let our users have administrator, and secondarily because we put almost no effort or money into software patch deployment and automatic upgrades) we go into firefighting mode, and when we're done we get a "glad that's over. How do we avoid that next time?" We give the same answer we gave last time, and they respond: "That costs too much. Keep doing what you're doing."
I doubt that any Fortune 500 companies really reward virus prevention.
But Herr Heisenberg, how does the electron know when I'm looking?
Install this, and tell your employees that if the dog barks, HIT NO.
I have installed this on 2 very computer illiterate peoples computers and have yet to have spyware troubles since then.
If you don't vote, you don't matter, so don't waste your time telling me your opinion
We run a 16 member citrix farm, and use domain Group Policies to apply restrictions. All requests pass through a proxy server, which is forced as the IE Proxy server, again, using a group policy.
We don't have *any* problems with spyware/adware on our citrix farm.
I'd recommend considering auditing individual user access rights, locally, on each PC. Consider implementing local group policies on each machine, and installing AppSec (check out support.microsoft.com for a free download). If the machine was properly configured, the user wouldn't have sufficient rights to install spyware/adware, barring a browser security vulnerability.
Basically, consider prevention instead of clean-up.
I remember reading one post where someone thought there was a bug in the seek routine because of this.
"Being the good little MCSE that you are you probably jepordize your network by using IE on your own machine."
Lol. I'm not an MSCE at all (I think that's what you meant to say, not MCSE).
The anonymous coward is correct; if you add the user to the admin group, install the Palm Software, and then take user out of the admin group after the first sync, it will continue to work.
...whan you are forced to go thru all kinds of wild, abnormal gyrations to install and use a piece of software. Palm targets their software toward the corporate user, yet they write it in such a manner that a typical corporate user cannot install and use it in a typical corporate (i.e. locked down) desktop machine without the assistance of a rocket scientist.
I recently did an evaluation of PestPatrol Corporate Edition 5.0, which runs in a similar fashion to Symantec's Corporate Antivirus. The software is server based, connects to PestPatrol for spyware removal updates, and can run a daily scan of hard drives to remove spyware. The only thing that is actually installed on the workstations is a small app that performs the actual scans. It's not that expensive either, I think it was about $2k for a 250 user license. Check it out at http://www.pestpatrol.com/Products/PestPatrolcE/
e x.html/
Check Point's Interspect hardware is really interesting. It's a piece of hardware that plugs into your network backbone and protects the network from spyware, Trojans, worms, etc. It doesn't actually remove anything, but if it detects an infected computer on the network, it can either prevent that computer from accessing resources on the network, or if need be, it can actually disable that nodes port on the switch that it's plugged in to. It does a lot more too, and I can't wait to get an eval of it. Check it out here: http://www.checkpoint.com/products/interspect/ind
Hope this helps...
There is a company out there selling a network appliance with custom ASIC that will monitor Layers 1-7 for virus, content and spyware/malware. This could feasibly stop the entry into the network of any of these items for which signatures exist.
However, I have an alternative solution for any environment that has server based or independent storage options to the internal harddrive -- Write-protect the harddrive. What exactly do I mean? Well using a product like Driveshield from Centurian Technologies or DeepFreeze by Faronics you can cause your computers hard drive to reset itself to a known state when the computer is rebooted. Think of it as automatic instant reimaging of the machine upon reboot.
Yes, this means that you'll need to save data onto removable storage or a server but think of it this way. If you force all your computers to shutdown at night when users come in, in the morning they'll be rewarded with a PC that runs as good as the day you set it up.
If you want to make changes to the PC like installing new software, patches, etc. simply reboot and turn off the protection, make the changes and turn the protection back on.
This is really the only current way to keep machines completely clean. All reactive solutions will fail when new threats are not listed in the database of threats. Yes, the machines can become infected and with the security holes in Microsoft Windows you'll still need to apply OS patches to keep virus that spread automaticelly across the network from propigating if they breach the firewall. But imagine how much easier it will be to clean up afterwards, fix the firewall, reboot all machines and apply the daily service pack.
These products are available for PC and Mac.
I am not affiliated with either company.
Aside from individually going to each machine and cleaning them, we try killing the spyware installers and executables. First we installed on a box as much spyware and peer-2-peer apps as we possibly could, and also browsed executable lists on antispyware/malware sites. Then we made a monster list of these executables.
If we were running an XP only shop (this won't work in Win2000 or 98) we would use Microsoft's software restriction policies in active directory. We don't, so this is out of the question.
Novell Zenworks (versions >=4) rogue process management sounds like it may work, but when we tested it doesn't kill apps that start up before the user logs in. So any spyware services aren't killed, even after the user logs in.
Next up was Progkill, an application on Sourceforge.net. Seems to work well on Win95/98/2000 boxes if it starts up. Has a few bugs when starting up. I wish I had a Delphi development box else I would debug it. Bonus points to it for its gui interface.
Finally was roguept (rogue process terminator) on Sourceforge.net. Does the same thing as Progkill, but not as easy to setup. Extremely small though and fast. It is written in C++ and runs as a service so it kills Spyware from the getgo. This speeds up system bootup time.
Comment removed based on user account deletion
I will add two points to that.
For these reasons creating, say, a ram drive would not be appropriate and you would need some local writeable storage of hard-drive size. Or, possibly having only a specific temporary directory be writeable and no other places, if it was possible to implement directory-level write protection, which I think can be done in Windows releases of NT 4 and above, e.g. 2000 and XP.
I think the parent poster for the message this is a response to gave an excellent idea and I commend him on his thinking of it.
Paul Robinson
The lessons of history teach us - if they teach us anything - that nobody learns the lessons that history teaches us.
would you be willing to share what you did to create your unattended package? I am looking at doing this too, but for a smaller network, of only 200 machines, im plagued by spyware
Which OS's are the ones which are susceptible to Spyware? WinXX. Why? Poor security model and ease of bug installation.
Gut reaction is to get rid of the platform which harbors the bugs. But if that isn't possible, then perhaps it is time to change the company usage policy.
Most of these bugs appear from 1 of 3 sources: web surfing, email virii/trojan/worm, or direct computer attack.
With the web and email, you can filter a certain amount, but something will always get through. With the direct attacks, your computers should have its security settings up. The inclusion of NAT/firewall devices for each department/cubicle block/computer couldn't hurt.
Another possibility is to use something like DeepFreeze to freeze the OS hard drive on the computer and have personal and changing files stored on the network drive. Have the computers reboot themselves 3 hours or so before people get into work so when they arrive, the computer is in its clean state again. They login and they have access to their files through a standardized and cleaned desktop. No bugs unless corporate decided to put it there or the tech guy let one get into the frozen image.
Anti-spyware and anti-adware/bugware software suffers from the same flaw as anti-virus software: you can detect and wipe out the current and old stuff, but the new stuff will get you before you get updated. Then all of the other stuff will get you.
I use Linux, MacOSX, and WinXPPro. My XPpro machine has no bugware/spyware/virii. Why? Strong usage policiy(No IE, Outlook, or any MS based internet product. No P2P, no IRC, and no IM. Use of FireFox or Mozilla only for webmail and web surfing. Box sits behind a NAT/firewall box. XPpro system is setup with restrictive firewall settings.)
Winged Power Photography
Sounds like you may be treating the symptoms before the disease. Spybot has a very useful inoculation feature, but Javacool's SpywareBlaster http://www.javacoolsoftware.com/index.html employs real-time protection that is more comprehensive. Use them both and always always keep them updated. Also ditch IE for Firefox, http://www.mozilla.org/ you will thank yourself. It is much less vulnerable to exploits. Try the wonderful Mike Lin's control panel http://www.mlin.net/StartupCPL.shtml to detect and delete nasties trying to boot. Total cost for these security upgrades? $0.00 unless you want automatic updates (which I recommend considering the size of your network). I'm certain the authors would appreciate donations, however!
It may or may not be a consideration, but Kinkos might wipe the machines to protect from licensing troubles... Say I go to Kinkos to print something and need to install a font on the system. I probably have a licensed right to do so (most font licenses allow this, IIRC) but it must be removed from the system after printing.
By wiping the machine fresh each time, they don't have to worry about any spyware *or* licensing issues & the user can install whatever they need to get their printing done.
We have solved this in a couple of ways:
1. First and foremost, our non-technical users are not on Windows. We use a Suse 9 distributed network, with all users authenticating to a DLAP/NFS server and all files are remotely stored for them. For our non-technical users that merely need a browser to access web based administration systems, this works well. The users are using a combination of Mozilla and Konquerer for their applications and kmail for their email.
2. In our development and managerial environments we are using a mix of Windows 2000 and XP. We do not run a domain controller. We restrict admin access from those who lack the technical ability to understand and mitigate the risks. For those that understand, they are given administrative access, but are also given a normal user account. They run their day to day operations on the normal user account and can switch, when necessary to install or adjust configurations. This way, they can do what they need to do, but their day to day operations and their spare time surfing does not effect the machines.
We are a small organization. Our rollout of machines numbers in the double digits, not the triple or quadruple numbers.
In the two years I have been running this organization in this mannor, we have never had to deal with a virus issue and I have had exactly 1 malware issue that had to be resolved. That issue was solved rather quickly, by removing the admin access from the user, as he realized what he had done was inappropriate and he was going to be restricted at that point. Our user education programs are small but effective and they have protected the investment we have in equipment.
GP
SIG not required.
I work for Bridgewater State College and we have used the Spybot, Ad-aware, and Webroot SpySweeper. So far the most successful Spyware remover has been Webroot. This program finds more traces and is easiest to use. There are alot of students that are not that knowlegeable in computers. Now that we recommend Webroot Enterprise addition there is far less Spyware calls for us to have to go to.
Except the first consequence is that we'd be reprimanded for not being a team player, and then we'd not get performance bonuses at the end of the year, and we'd not get promoted.
Your idealism is refreshing, but your understanding of the way the world works is a bit limited.
Respectfully,
Anomaly
But Herr Heisenberg, how does the electron know when I'm looking?
In reagards to the whole discusion of locking down computers and whether users should have acces to the web, or to install programs or whatever.
The #1 arguement for locking down was. You have the apps to do your job, you don't need anything else.
BS
If those apps don't work you can't do your job, and often those apps don't work, and often those apps don't work because of IT.
I used to work at SUN (Where I had the most network/software issues of any company I've ever worked at). the main program for logging calls and so forth was RADIAINCE, which anyone who's worked at SUN in the past 5 years knows about. And what a total and complete piece of Shite it is. But I'm not here to talk about that.
One of the other major tools for working was a web browser, not for browsing the internut, but for browsing the intranet. that's where you did research on problems, research on part#'s and also ordered those parts. No webbie, no workie.
The biggest problem was not getting web access, but when the 6 different pages you needed to do your job blew up and went away. Sun uses Nyetscape, and it's up and down more than a $2 hooker. Never mind loosing your place, but having to re-open Nyetscape and navigate through the pages and logins to get back to where you were.
It was neccesarry for us to do our job to install 3rd party apps. When Opera for Solaris came out some of us were in tears of joy. Some installeed IE for Solaris, we even ried that stupid Java browser SUN has. that couldn't even access 1/2 the pages we needed to do our jobs. (was better that Radiance because when it didn't work on a page, that's it, it didn't work. Radiance was sneaky bastard, you never knew when it was going to crap out. And it was always slower than a 3 legged donkey)
Then there was proxies, anyone who used a US proxy was at a serious handicap. Most of us used Proxies that were 12 hours off from our time zone.
In all, the only software tools that we had that worked were unsupported, or 3rd party ones. The only way we could do our jobs was to have administrator access. Then the network would go down. At those times I'd always yell. "THE NETWORK IS THE COMPUTER!"
Educating users is important, no doubt. But securing the network is the Admin's responsibility, not the sales guy's. So if systems keep showing up with adware and spyware, and the user has "no idea how it got there", the machine has to be locked down or there needs to be an anti-virus-like centralized program to eliminate the malware.
"What the American public doesn't know is what makes them the American public." -Ray Zalinsky (Tommy Boy)
For windows computers, my home security software list is: Ad-aware, Spybot, Prevx home, AVG anti virus, and I've been using windows SP2 firewall. (I'm undecided whether I really need to download Kerio or tiny.)
I do security
You're tired of IT "Nazis" who impose restrictive limitations upon you and your fellow plebes?? You're tired of being told how to operate your office computer (which, for the record, is COMPANY property)?? You're tired of being treated like an idiot everytime We have to descend from on high to come and fix something that (99 times out of a hundred) was YOUR FUCKING FAULT (the other 1 time, it was the guy in the office next to you, for the record)??
Here's what I'm tired of...
-------
15 hours spent tracking down the last vestige of a virus that got into the network because some dipshit user clicked on that gods damned "punch the monkey" banner. Did I get thanked for preserving the integrity of the company's data?? No, I get told to watch my ass or I'll be out on the street for daring to bill the company for those many hours at once...
-------
Removing the spyware which has crippled your machine causing it to "run too slowly" (the original reason you called me)... oh, and by the way, standing over my shoulder, pissing and moaning about lost productivity... that doesn't inspire me to work faster... especially not when the very next thing I see you doing (while en-route to another "emergency" call) is playing SOLITARE!! Real productive...
-------
Being told you have a virus and then coming into your office to find that you haven't bothered even to open the e-mail I sent out about a new CRITICAL SECURITY UPDATE that you really should install... by the way... it was in an e-mail because the last time, I spent a day visiting every - single - machine in the office and applying it myself, only to get flak for costing everyone 10 minutes of their precious time
-------
Having My lunch/smoke break/FUCKING WEEKEND interrupted because you or one of your shit-headded co-workers desperately need something installed/removed/hit with a stick... I don't need free time, what the hell would I do with it?? I live but to serve you my leige... you jerk-off...
-------
The rules and restrictions we place upon you are not out of spite. We are not fascist dictators making rules willy-nilly in the hopes of catching you with your pants down. These rules are in place to protect the sanctity and security of the network that we get paid to protect. The attitude that you see is the result of years of dealing with people who do everything they can to get around our rules. People who continue to open spam e-mail, who open attatchments on e-mails they have not verified, who wait until a computer problem gets so bad that the unit is no longer functional, who visit unsecured websites, who ignore critical updates (they're called critical for a fucking reason, plebe)... you're the problem, not us... Your right, I am paid to interface man with machine, to make the integration of technology and business as seamless as possible, and to keep the company data stored on the network safe from the outside world... I am not paid to babysit you, I am not paid to hold your hand, and above all else I am not paid to take your abuse... so here's the deal... when you follow the procedures we lay down (if you want to know why the rule is there, ask) so that the problems I have to fix aren't ones that have been caused by you, then you'll stop getting the brunt of my attitude... but so long as you act like a petulent child, demanding that everything run perfectly right now... now Now NOW... and continue blaming us for problems that are all totally preventable... I will treat you like a child...
so either start treating us like real people, or run your own damn network...
The chains are broken
Loki is free
Ragnarok is at hand...
Hi Paul -> Thanks for the kudos. ;^) I should have been more clear when I described write protecting the hard drive with the software described.
This software virtually write protects the drive. As far as the OS/software/user is concerned the drive is writeable. I don't know if you've seen PowerQuest's v2i protector the performs online imaging of the while requiring no server downtime. What these software applications do is use their own swap area to write all changes done during a session by the OS/user/application/etc.
In the case of Driveshield and DeepFreeze the changes are then discarded on reboot. In the case of v2i protector the changes are commited to the disk once the image of the system is created.
The concept is brilliant and keeps your machines from being broken by viruses/spyware and my favorite end-users. While not restricting end-users from exploring their machine in any way, they can actually delete OS files, this software actually puts everything back to the way it was set up initially. Actually, in reality it never lets it be changed to begin with since it uses the virtually swap area for all changes during the session.
Please spread the word this technology can save LAN administrators countless hours of work so that they can concentrate on implementing new technologies to better serve their end-users.
-Nyle
It's called Linux.
Be a PATRIOT--because the only thing we have to fear is the lack thereof.
I'm currently employed by a large health care provider. We use websense to block spyware, malicious content and of course unauthorized websites. Seems to work pretty good. The real problem is patch management for 25,000+ workstations.
You can also give domain users full permission to specific folders... instead of granting All or Nothin' access to their entire computers.
"Lol. I'm not an MSCE at all (I think that's what you meant to say, not MCSE)."
Isn't is Microsoft Certified Systems Engineer?
RE : Kinko's Actually, No. In Kinko's computer rental environments, the distribution is W2K, with account privelidges as you describe, to keep people from running amok. The policy is to re-image the stations once >weekly using disk images via Norton Ghost, mostly to toast accumulated cookies and other detritus. (in more recent bundles, cookies are auto-wiped on logout, which should have been the case from the begining.) Now sometimes you'll find as a customer that a Kinko's person follows after you and re-images a machine, this generally means that the server has told him the machine is misbehaving, which usually has to do with the unreliable software they use for auto-updating the software from Kinko's HQ. Keep in mind also, that those stations run HUGE amounts of proprietary software to deal with ExpressPay (the part of the system that takes your money) which is prone to tripping on it's own guts and falling down in a heap. Kinko's people are basically trained to re-image if something goes wrong that rebooting doesn't fix. If you've been in a branch or read of one where stations were re-imaged after every login, the author was either misinformed or more likely, the staff of the branch in question was not running a current bundle on their rental computers. AIB
Norton AV 2004 and 2005 have integrated spyware i use pest patrol (www.pestpatrol.com)
http://www.npcgaming.com Dedicated Gaming Servers
Many before have discussed the basic Winblows lock downs... no Admin access. (Beware XP sometimes will not update virus or patches with limited access users.) Lose IE as primary browser etc. More some OS to Linux. All good ideas worthy of deployment when possible but in the meantime:
Take a defensive approach vs. offensive:
ISCnetwork.com has a Firewall content Filtering Server, others may also.
It first is a firewall between your current Internet access and the rest of the LAN(s).
1. The FcFS blocks access to blacklisted web sites... porn, spyware, gambling, warez, virus infected, and some other 20 categories if wanted.
2. The FcFS filters out advertisements from pages. Pop-ups are eliminated or just blank. These are where most spywares / adwares are found for the employees to download and install.
3. The FcFS filters out email viruses & SPAM; another source of spywares. FcFS can be set to strip off bad attachments so newest viruses become less of a problem before Norton or McAfee have a cure.
4. The FcFS offers a "Whitelist" of company approved web sites. Some employees can be limited to only a handful of "approved" web sites. Example: If you are a public library and have card catalog computers, the card catalog is all that the computer can ever access.
5. The FcFS keeps track of internet usage. You can see which computer is trying to send out company information by the "access denied" list. This keeps down the constant battle of scanning and debugging what turns out to be clean computers.
6. The FcFS has on the fly website blocking from any browser. You find an abuse that is not blocked like victoriasecret.com add it to the lists.
Good luck with your battle. Our spyware block list has grown from 600 in January to over 40,000. I figure by the first quarter of 2005 it will surpass the virus infection available to XP some 65,000 or so.
First of all I hope you aren't actually saving those images to files then zipping them... Well you probably just did that for clarity, but pipeing to/from bzip2 seems to give the best mileage in my opinion.
I do this on my laptop, the image is ~ 10GB and the rest is zeros, however it's still an overnight operation. I actually uncompress it from an external drive (USB2), which is quick enough. The time that takes the longest is writing to the laptop harddrive, which is slooooow.
To be honest I'm not sure why it takes so long, laptop drives *are* slow but not that slow. I should probably check that the drive is actually in DMA mode.
He who defends everything, defends nothing. -- Fredrick The Great
Look, if you both worked in the USAF, then you know policies and implementations vary widely from base to base. While everybody's reading off the same page of directorates, AFPCA's way of implementing is not the same as DISA's is not the same as Podunk AFB's CS which doesn't fall under the purview of either yet.
.MIL network client installations, it will remain spotty. But it is getting better. For a long time, you saw the "security before functionality" mindset reign supreme and the base CS didn't care if you got any work done; in fact, they rather liked it if you couldn't because it was an indication that the system was locked down good. Luckily that is changing as they slowly figure out that you can secure a workstation relatively well (security is a tradeoff and all you have to do is decide what risks you want to mitigate for what loss of functionality or simplicity) and still let and end user get some work done. A big shift to server-based applications has made this easier too. A single cluster of application servers is much easier to lock down while retaining functionality than thousands of desktops. Now the problems they face are that the application servers have gotten very pervasive and some of the data they serve up is truly sensitive stuff. So they're able to implement good best-practices role-based security at the server, but what to do with the data as it leaves the server and is in the hand of the requester? There is a huge need for good research into some RM technology in the gov't sector in general that can limit what an user can do with output. WHile it would be difficult to stop someone bent on pilfering or leaking info, such activity could be made very difficult with the right application of good RM tech.
The hurdles the AF is dealing (not too poorly) with right now do not differ that much from a lot of the businesses today. Their IT sprung up a little here and a little there, with no centralized view of THE way to do things. This has its pros and cons, but, sooner or later, if from a purely management standpoint, it is inevitable that there has to be some top-down policy to keep things safe but still usable.
Anybody in the business knows that bringing policy down from above onto a wide array of systems that have grown up grassroots over very many years is next to impossible. Until a single authority takes over all
But my original point was, just because an implementation worked as adverised at AFB #1 doesn't mean it would at #2. There's just a lot of variables there and you know it.
Can I bum a sig? I left mine at the office.
Just limit access to what the users actually need to get to and call it good. I work for a hospital, the people who work in the E.R. on second and third shift were notorious for downloading spyware/adware, screensavers, desktops, etc. and then would call to complain their pc was slow. We have Border Manager, but it still let them get to "news" sites that downloaded this crap for them. So we took drastic measures and blocked their internet access by workstation. They can only get to sites that we designate as appropriate for their work. No more calls to clean up machines, and they actually can concentrate on saving lives instead of looking for a great George Clooney screen saver.
I've worked for many comapanies in many IT based positions. Spyware and Virus troubles are a terrible burden. The more computers/users you deal with, the harder it is. On a Windows based network, the best step is to cut Spyware at the source. An ounce of prevention is worth a pound of cure...
Use firewalls and such to block internet traffic that couldn't possibly be work related. For example, blocking some major game sites by address, such as partypoker.com, games.yahoo.com, and so on.
Block port access used by instant message services, such as port 5190(I think that's the one) which is used by AIM.
Set your mail server to not allow executable attachments whenever possible.
Encourage the use of Mozilla based browsers, rather than IE. If IE must be used, disable BHO's (Broswer Helper Objects) to prevent 3rd party software from attaching to IE. (I've found this seems to be the root of most spyware.)
If at all possible, use a web based e-mail system, rather than Outlook or IE.
And most importantly, keep a good Antivirus system on *ALL* machines and force them to autoupdate themselves.
Yes, maybe they can enable the scanner for you in just a few minutes.
And then every idiot in the company comes over and sayd "Oh, I just need this too". Sometimes in a really large organization, you end up with policies that are uniformly enforced specifically so they do NOT have to deal with the endless stream of "just one more thing" they may get swamped with.
Admittedly, it's a limited and short-sighted policy, but if it's been handed down from on high, the IT guys get to play CYA by saying they didn't violate an edict from the CTO or something.
You really do need to take into account the sheer momentum that administrative overhead and policy has in very large organizations before you decide the IT guys are either lazy or incompetent.
Lost at C:>. Found at C.
Myth Myth Myth Myth
The Space Pen (gas pressurized ballpoint) was developed by Fisher at their own expense and later sold to NASA for $2.95 a piece. Both NASA and the Russians have used it ever since.
Moral - Don't let the truth get in the way of a good story.
None of them can see the clouds; The polished wings don't care.
At the school where I work, kids unwittingly install spyware all the time, thanks to IE and various messengers and such. Firefox is only a partial solution, but it's a big step, so I remove/hide IE and place a link to firefox on the desktop and in the start menu. Here's the coup de grace: I go into the firefox link's properties and change its icon to IE's icon! (click change icon, find the IE folder in Programs, select iexplore). The kids never know the difference and when I come back to do maintenance, the machines are usually spyware-free.
I've thrown Knoppix in many machines, as experiments
I've tried it, and perhaps it was the CD-ROM overhead, but OpenOffice.org took inordinately long to start up, and perhaps it was the lack of an accelerated Radeon driver, but I could see the GUI being drawn line-by-line rather than instant rectfills.
10 LET M$ = "Microsoft"
You claim there is no Access for Linux. Google for mdbtools
Does mdbtools have graphical schema, form, and report construction tools like M$ Access does? (looks at screenshot) No, a glorified terminal emulator that allows typing in SQL commands doesn't count as a GUI.
Second, WINE does Visual Basic rather well
Great. Now we can violate M$ EULAs that prohibit running covered products in any operating system but M$ Windows brand operating systems.
I have never had to replace any of my hardware because it was not supported under Linux.
You appear lucky. After over a year, SANE still lists Microtek Scanmaker 4800 family scanners as "unsupported" in red letters.
so okay, you install OpenOffice. Now you have to train 4k ppl to use it.
How did 4,000 people learn to use Microsoft Office software? What kind of turnover do you have in your office environment? Why can't you train new hires on OpenOffice.org and then run MS Office and OO.o side-by-side, with the new hires on OO.o?
What do you do to avoid catching the flu? That's right you get a flu shot.
I can't wait 41 years to be old enough to be eligible for flu shots.