Spyware/Adware Prevention In Large Deployments?

foQ writes "I work in the IS department for a ~2000 networked computer environment across 10 locations. As with most people, we have experienced serious problems with spyware/adware. We have SpyBot and Ad-Aware installed on most computers, but this doesn't prevent the computers from getting these programs and only sometimes properly removes all of them. Is there a tool that we could push out to all the PCs to basically do what anti-virus programs do and block these programs from running and clean them from the computer?"

Webroot Spy Sweeper Enterprise and Lavasoft too

[erick99]

I took a look at enterprise antispyware software for a client and particularly liked Webroot's Spy Sweeper Enterprise product. It provides centralized management and automatic deployment though you can do it manually as well. Definition upgrades as well as version upgrades of the sofware is also automated. Take a look at this page from their website. Lavasoft also has an enterprise product that is pretty good though I think Webroot has a slight edge.

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[SilentChris]

You know, I still don't understand why large-scale deployments like this guy need ANY spyware checks. At my company, the first thing we did when we migrated to XP (from 98) was set every user's permission to limited. We haven't had a *single* noteworthy case of spyware, or viruses, because nothing can really get into the meat of the system (Windows\System32 directory, Program Files directory, etc). If anyone has a complaint, tough. They go through us if they want to install X program.

The only one that I've seen get through (and it's not really spyware) is changing a person's homepage. I'm not sure why IE even allows this. Fortunately, the main reason for switching someone's home page (slamming them with pop-up ads) is kind of diminished with SP2.

My feeling: the vast majority of administrators don't take advantage of the tools MS has provided. The one complaint I've heard ("We use programs that require special permissions, so we can't have staff run as limited users") is bollocks. Do what we do: take a few hours out during a deployment, contact the original software manufacturer (or figure it out in house) and set all the permissions correctly.

And it's not just unknown shops. I recently read an article where Kinko's reimages computers after guests pay to use them. This can take 5-10 minutes. What the hell? Just set a limited user and recreate that one folder. What are their administrators thinking?

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[trick-knee]

proper permissions usage and implementation is really the best way to lock down a machine when you can't rely on the user to keep from inadvertantly installing junk.

and doesn't the great grandparent (first) poster read like astroturf?

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[plierhead]

I agree. When I worked at CellularOne every user was issued a W2K workstation that was locked down squeaky tight. You had to make a very good case to get access to the web and, even then, there was a hellish long list of sites that were blocked. I didn't see any spyware/malware ever. Users were not allowed to install software nor even printers. You go the application suite that your job required and you were mapped to a printer or two. It worked well and nobody was being deprived with the possible exception of folks that like to use their computer to screw off all day.

I hear completely where you're coming from, but you're only talking about the side that you see.

Locking people down, while it may well be a desirable solution because of the shite that is MS, very often leads directly to lost productivity that affects many more than just "folks that like to use their computer to screw off all day". In many cases, the problem is made worse by unresponsive IT departments who have an inbuilt superiority complex and think all users are jerks. Well, many users are jerks, but guess what - if they can't do their jobs, they cost their employer money, normally in a way that IS is utterly unaware of (and probably couldn't give a shit anyway).

Recent examples at our clients (we provide our system as an ASP, not least to avoid the claws of those freaking MS bastards, but as you can see we are still the victims):

1. Customer A needs to scan and OCR hard copy documents to upload them into our system. Of course they are not allowed to go down and buy a $200 HP scanner with this ability - instead they must wait for IS. IS has set up a $20,000 multi-fucntion scanner, but of course it does not do OCR. Of course there is an OCR program, but of course it is not certified for the current system image. 6 months on, over $30,000 in additional costs incurred - because IS can't provide OCR capability and won't allow a "renegade" install of a $200 HP scanner.
2. Customer B wants to use our system - its an ASP after all, no software to install - but their procedures for gaining web access are so cumbersome that it is simply impractical to give wide access throughout the business. More lost $$$, to us and them.
3. Customer C has their image locked down to Office 97 because of various (no doubt valid) MS problems. Users are unable to handle incoming documents written in later versions of Word. IS has no solution apart from waiting until 2006 for a company-wide upgrade. (Yet, strangely enough, the IT dude has Office 2003 on his OWN desktop)

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[permanentE]

The attitude of all you LAN Admins in here really pisses me off, "it's easy, lock 'em down, don't give 'em admin, take away all their PC privilages". It's easy for you to say, you have admin! You can install any software you need.

I wonder how much productivity you lock-'em-down admins are costing the economy as a whole. You wanna know something? LAN administration isn't the most important part of a company, you aren't making the company any money. Your job is to help us users be more productive in doing our job, it isn't to cause you the least hassle.

How does it help the company when everytime I need to install some software to do my job I have to call you up and waste a couple of days for it to get aproved by the all-mighty-admin? How does it help the company when I can't immediately respond to a customer!?

OK, so there are stupid users, but I don't care about them, they don't affect me, I'm just trying doing my job. Leave me alone god damnit!

/rant

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[Mod+Point+Sink]

Back in the mainframe days, they were a priesthood--users could only act with the data through the intercession of them and their terminals. The PC changed all that, and they've spent the last couple of decades stuffing the toothpaste back into the tube.

Microsoft has greased the wheels with its exploit ridden, high maintenance software, creating security problems of epic proportion that are helping justify the return to the "glass house" in the eyes of management, who worries about things like HIPAA, Sarbanes Oxley, EU privacy directives, Gramm Leach Bliley, and all that--and creating a class of well-paid overseers to manage it.

The users are mere pawns in the game.

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[ralphus]

Different companies have different political environments and different requirements for user permissions. Not everyone can be as locked down as you are because of various business requirements. Business requirements always trump security requirements, political requirements (like CEO "needs" admin rights) often trump security requirements.

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

What? I've got a bunch of people synching palms in windows 2000. They are domain users and don't even have accts on the local system. try adding the user to the administrators group for the first sync and then removing them.

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[estes_grover]

This problem is just lazy IT. If they can't take 5 minutes to add an HP scanner then you've got the wrong guys in IT...Again bad IT practise ... think of an IT department run by intelligent IT guys not lazy management types like you're describing.

These would be true statments should the company in question be small - several hundred employees. It's a whole different deal in a large company. In a large company (thousands or 10's of thousands of emplyees) IT policy is often designed such that the (inadvertant) end result is: slow. The overriding concerns in large-company shops are things like security, audit, documentation, repeatability. In an IT shop supporting a large user base, the CIO is often more of s business type than an IT type. Hence lots of compromises, negotiation, changes in direction. Couple that with in-house development efforts and one often gets re-work and that translates into slow.

It's darn near impossible to be large and nimble.

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[shyster]

The attitude of all you LAN Admins in here really pisses me off, "it's easy, lock 'em down, don't give 'em admin, take away all their PC privilages". It's easy for you to say, you have admin! You can install any software you need.

That's because we know what we're doing. And, if we cause problems, we're the ones that have to fix it.

How does it help the company when everytime I need to install some software to do my job I have to call you up and waste a couple of days for it to get aproved by the all-mighty-admin? How does it help the company when I can't immediately respond to a customer!?

Who do you think is responsible for keeping track of the licenses for that software you want to install? Given admin access, how many users do you think will pirate software? (Answer: a lot). How many users will knowingly or unknowingly install spyware? (Answer: a majority) How many will get a virus? (Answer: A few. But those few will impact the entire company.) And, when they do all of this, and it takes 1-2 days to clean up their computer, how many users will understand that it's their fault and not blame the IT department? (Answer: None.)

Your job is to help us users be more productive in doing our job, it isn't to cause you the least hassle.

I suppose you feel the same way about your Purchasing Department (Why should I have to get a PO before ordering something? How does it help the company when I can't immediately order something I need?). Our job is not to help you be more productive in your job. It's to help the company be more productive. You're just a tiny little part of the equation.

OK, so there are stupid users, but I don't care about them, they don't affect me, I'm just trying doing my job.

If there truly is someone who is (a) knowledgeable of computers, (b) appropiately cautious of installing unknown or unlicensed programs, (c) reasonable enough to not blame IT for all of his computer woes, and (d) wants administrator access (and his manager doesn't care) - then I'll usually give it to them. In most cases, this guy also becomes my go-to guy for the department - which saves me from visiting for little issues.

If you truly can't do your job because of restrictive policies (note that installing WeatherBug and AIM does not constitute doing your job) then you should explain your situation to your admin, your manager, and your admin's manager. If nothing gets done, then noone thinks you need admin access to do your job. Live with it.

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[coats]

AFAIK, Word 97-2003 have the same file format. Excepting some possible formatting issues, reading the documents shouldn't be a problem...

Can you say, clueless!?

There are incompatibilities between the paragraph and character styles and the numbering mechanisms among the versions of Word you talk about (97/2000/XP), and going back and forth among them is a sure way to almost-irremediable document corruption. As a corporate-law attorney, my wife runs into this problem all the time.

Word can't deal with it; the commercial product for cleaning up the mess runs $5000/seat and many law firms consider it well worth the price. (Or you can use the industrial-strength .doc-parser found in abiword or OpenOffice.org:-) .)

you mean...

[maxdamage]

besides freezing them?

the newer AV's do

[Nate+Fox]

I usually dont reccomend upgrading antivirus programs to my clients, but the latest round of 2005 versions basically have adware in with their virus defs. Not sure about the corporate level stuff, but almost all the major consumer AVs do.

Easy and cheap

[Dancin_Santa]

I recommend just sticking a firewall up at the root of your network and blocking all traffic on port 80. It cuts down on web surfing and it puts to death all those stupid ad/spybots that already infest your network.

If someone needs to access a site, have a system where they can request a site to be opened for access. Of course they will need to have a valid reason and you (as network admin) have final say as to letting them have that access or not.

The www is something that can be surfed at home on personal time. Work is for work.

Re:Easy and cheap

...because some IS people just need to exercise every little bit of power they can.

Others realize that computers are tools and that disabling web access makes them worse tools. They know that their job is not to find ways to make their own jobs easier, it is to make other people's jobs easier.

Kudos to the story submitter for being one of the type that wants to do his job right.

Dancin Santa, fuck you and all others like you.

Re:Easy and cheap

[gregmac]

The www is something that can be surfed at home on personal time. Work is for work.

Many other people have pointed out the value of being able to surf sites for work-related information (booking hotels, looking at competition, finding reference materials, finding suppliers/products, finding potential customers, posting job listings, ...).

There are other ways to prevent misuse as well, rather than blocking port 80 - block specific sites (ie, hotmail) and/or use content filtering to stop people from looking at pr0n while at work. Keep in mind that these can be detrimental - at a health care related job, for example, there will be legitimate reasons to look up legitimate sites that will be blocked by content filtering.

One thing that has been shown (I know I've read articles about this before, unfortunately I can't find referencse) is denying people "personal time" at works leads to an increase in sick days and other time off. Basically, if you don't let someone spend half an hour doing something personal while "at work", then they end up just taking an entire day off to get what they need done. This is my take on the matter, and I don't block any sites on our connection. (and no, I don't consider pr0n to be a legitmate "personal" use of time, but we're also a small company and no one really has much of a private office to use..)

Easy

Two words: Death penalty.

Get spyware, get shot in the head. After two or three pluggings in front of coworkers, NO ONE will get on the net period, or even check e-mail.

Harsh? Yes. Effective? HELL YES!

14" monitors

Every time a user finds spyware on their PC, replace the monitor with a smaller one.
When a user has to make a decision between h4rdc0r3 p0rn and a 6" monitor, they might be a little more proactive in preventing spyware!

Software Restriction Policy (Windows XP)

[yiangouk]

You can apply what is known as a Software Restriction Policy and enforce it strictly so that only approved software is installed on system computers

Sounds like the same problem we face

[willith]

Sounds like the same problem we face--4k client PCs in five locations--and we don't have too good of a solution.

We're currently taking a two-pronged approach. First, for the big baddies like Gator or Bonzi, we use Altiris Notification Server to find them and block their execution. This works tolerably well, but it's a reactive process--for me to block a spyware app, I have to know about it, and it has to be something of which I can deny exeuction (so, no browser helper objects).

Second prong is a managed install of Spybot S&D--we're enterprise licensed and maintain our own update server. We stick Spybot S&D in our base loads and force it to run on a schedule, automatically updating itself and running non-interactively. This catches lots, but can sometimes interfere with the users' work.

There is also an ongoing user education effort, consisting of mandatory training and constant reminders about how spyware works and how one gets infected, but that's about as hopeless as bailing the ocean with a kid's toy bucket. I'm long past the point of hoping that the general user population can learn about how not to get infected with spyware; I'm resigned to spending the rest of my days hearing about how someone in Marketing was hitting the gambling sites at lunch and picked up yet another malware app.

Re:Easy solution

[Awptimus+Prime]

Use FireFox instead of Internet Explorer. www.mozilla.org

Though this is a quick way to get a "+5 Informative", it is not a valid solution to most Adware/Spyware/Malware exploits. The majority of this software is installed as part of another application. For instance, the notorious "Internet Optimizer" and "Gator". Running FireFox does nothing to stop an ignorant user from falling for a snappy ad and installing something bad on their workstation.

I'm not defending IE, I'm just pointing out how it does not apply in this particular case and Mozilla will, by no means, be the end all of web-related tragedies.

Re:Easy solution

[mrmagos]

As the security administrator of a small liberal arts college, this switch has probably made the largest impact on desktop support issues. Unfortunately, you can't fully remove IE, but removing shortcuts seems to be good enough to prevent most end users from using it. The other consideration is that many sites use IE-specific extensions, which breaks how Firefox renders the page. For example, we use Exchange with the Outlook web client for student email access and web access. The client is useable with Firefox, but some features, like the check name applet, does not work. A desktop url opened in IE is our workaround... I guess my point is that you really need to review which web apps and sites your users want to access to truly weigh the pros and cons. In our case, the benefits were greater, and we made the transition as gracefully as possible. I know the parent means well, but sometimes the solution isn't that easy.

Re:Easy solution

[Em+Ellel]

Why is a normal user allowed to install programs in the first place?

Because that computer thing is meant to be USEFUL

DeepFreeze = best. prog. EVER.

[Sven+The+Space+Monke]

Oh my god, I'm surprised it took that long to mention DeepFreeze. I LOVE DEEP FREEZE. I only manage 70 comps at a lan center, but if you think office drones are demanding, try gamers. We used to have the comps locked down as tight as possible (well, as tight as you can get with XP pro and still have games/punkbuster be functional), and we still had to do regular weekly maintenance (AV, spyware removal, etc). With DeepFreeze, you can set up a 2 gig thaw partition that allows people to save any files they might need, they can still save files to a network drive, but the C: drive (or any other fixed drive you want) have a persistant image resident. They can save any files they want, make any changes they want, delete anything they want, but on next boot, everything on a frozen drive is back to the way it was before. They can't permanently install any progs, but honestly, when should a user be installing anything anyway? The best part is, I can go about a month between issues that can't be solved by a reboot.

Re:DeepFreeze = best. prog. EVER.

[drinkypoo]

Windows updates are easy: In the middle of the night, thaw the machine from the console (automated), run the updates (automated - you ARE using SMS right?) and then re-freeze it in the morning before they come in. The problem of users saving documents in the wrong location is still an issue but can be mitigated in many applications by the use of default document save paths.

A somewhat better way to handle the freeze/thaw thing is to run your updates weekly and cycle the machines on the weekend. If you're really worried about your users losing data you can search their machines (via administrative shares, in an automated fashion) for documents modified in the last week and shovel them into a separate folder on the permanently thawed drive.

Re:DeepFreeze = best. prog. EVER.

[hazem]

I once set up a similar system using a small linux installation.

1) set up windows on half the drive
2) install a small version of linux on the other partition
3) make an image of the windows drive that is stored on the linux side
3) I set up some rudimentary scripting that worked with lilo boot options.

Normal operation is to boot to Linux, then extract the windows image over the windows partition. It then reboots. You can feed lilo an option to override its default boot option and go directly into windows. On next reboot, you go back into linux.

I even set flags where you can turn off the auto-rebuilding, set it for daily rebuilding only (first boot of the day), or make it strictly manual "your computer is goofy? Okay, reboot, and select rebuild. Get some coffee and come back".

As another poster said, you do have to turn off all the auto-updates because they'll continually trigger. But it is so nice to not have to tend to the machines until you want to do those updates.

I don't have the setup on a website, but if you're interested, send an e-mail to username dfrakes at the new google email service. I'd be glad to send my scripts along along.

We had a lab of win98 boxes - all PII-300's or less that would rebuild their 1.5GB windows image in about 11 minutes. I used tar/gzip for the image, but it can work just as well with dd/gzip and may even go faster. In that case, the smaller your windows drive, the better your performance will be.

It was great in an academic computer lab where the users shouldn't be messing with things!

The layered onion approach...

[urlgrey]

Assuming you have to run Windows, first remember there are multiple steps that you'll likely have to take with no silver bullet. Consider these 10 steps as a spring board:

The first step is to put in place policies (where possible) on domain controllers that prohibit both the installation of BHOs and of other software by anyone other than Administrators. Given that many, many bits of spyware (I'll go out on a limb and say most) work as (so called) "browser helper objects", don't let people install them at all. Other software Administrators can install when needed. It's actually fairly easy to do.

Second, where possible, deploy W2K or XP, and...

Then, third, where possible, yank people's admin privs. In virtually all cases, with a bit of good ol' trial-and-error, you can successfully adjust users' permissions to take away admin from most folks. Let's face it, most people SHOULD NOT have the ability to have admin on their own machines.

Fourth, where possible, dump IE.

Fifth, do some short SMALL GROUP tutorials about the evils of spyware and how it works. (I found this to be surprisingly useful for teaching users about passwords.)

Sixth, where possible, dump IE.

Seventh, consider netbooting the workstations and storing users files on fileservers. That way the OS you give 'em is the OS they get and it's always the same every day. (Tell them to think of it as life imitating art as in "50 First Dates", where they get a fresh start every day....)

Eighth, where possible, dump IE.

Ninth, go with something many of the folks here have/will recommend in terms of enterprise-based anti-spyware/anti-virus/anti-?????? software. I used Norton Corporate Edition in a fairly recent gig, and while that particular version didn't check for sypware, there are a number of solutions others are proposing that will. (The Corporate Edition is critical to your sanity--you can manage the AV software on *all* desktops via a central console.)

Last, and not least: dump IE.

------

Re:Easy solution

[civilizedINTENSITY]

I am so sick of hearing that "once [fill in the blank] reaches critical mass, it will have the same problems." That sidesteps the issue of design, as though all designs are created equal. This viewpoint only works if you view your computer as a magic (black) box with no discernable internal structure or parts.

Methinks it says much more about the people who utter the phrase than it does about the systems they suggest are inherently equal.

Re:Easy solution

[NoMoreNicksLeft]

But it's true. Apache eventually won out over IIS, and what happened? 10 apache worms a week, every week for the past 2 years. And don't even get me started on the local exploits. Apache, the worst httpd ever!

Oh wait. Never mind.

Did you pay for it?

[killjoe]

So you installed ad aware and spybot on most of 2000 systems. Did you pay the authors of those software any money? Maybe if you paid them some money they could help you roll out massive deployments or modify their software to suit you.

My guess is that like most companies you installed them without paying because you didn't have to fill out forms or break your budget. Now you are looking to pay somebody else for software after using their products for all this time.

Just doesn't seem fair.

Re:Obvious solution

[Frogbert]

No it is not. There is no Microsoft Word for Linux, Open Office comes close and I love it to death but its just not ready yet.

There is no god damned Access for Linux either. Heres a newsflash a lot of companies have database frontends that rely on Access, it may not be the best solution but it is the current system and to change it would cost thousands of dollars.

Like it or Loathe it Visual Basic is used throughout many companies. Please correct me if I am wrong but do any Linux office products work with Visual Basic?

These are just a few of the many examples why you couldn't just switch to Linux like that. Those are just the software factors too, forget user training, the cost of changing hardware that isn't supported to Linux etc.

What about thousands of pissed off users because they can't figure out why the hell the start button looks different or why text on the screen doesn't behave as expected.

I'm not trolling, I like Linux I think it is great for the home and for a hobby but its just not ready for the mainstream. Perhaps in a few years, but not today.

Re: Those are after the fact solutions.

[anakin357]

You need to stop them before they are able to install one peice of code on the system.

1). You can do a few things, namely locking the computers down using the Microsoft Policy Editor (as I am sure you are aware of it's existance).

2). Make sure that no user has administrative access, and that downloading / installing programs is not allowed - if they need programs, that is what their roaming profile is for.

3). Also keeping a image available of every system so that you can restore to a known good working point

4). Invest in a decent SAN and keep the roaming profiles there, ALL documents should be kept on the SAN / roaming profile so that re-imaging the computers when they do get things on them does not cause valuable work to be lost.

Perhaps suggest hiring a freelance IT guy who knows how to do such things if you do not, there are plenty here who need the work.

If you can get to the control panel, display settings, look in the C: drive, change IE options, etc, you're doing things wrong, it's not locked down enough.

Yes it's a pain for the users, but it does alleviate the potential of corporate espionage (don't beleive it doesn't exist, it most certainly does) and also spyware/adware/etc screwing up your computers.

These are just the basics but it's worked fine for the company I work for, after some user adjustments it's actually not that bad. The only thing you loose is the storage on the clients, and possibly a big investment in a SAN ranging from 1TB on up, which can be moderately expensive.

Deny write access to the registry. Whitelist BHOs

[Wiseleo]

My solution is simple.

No user can write to the registry in the common spyware places. All access to write to the ares of the registry that is commonly attacked by spyware is removed by GPO. That is - no unapproved shell extensions, no BHO add access, no new Explorer bars, no ability to modify the Winsock32 stack, no install priveleges. All apps are deployed through GPOs. There is a white list of approved ActiveX in general and BHO controls.

Spyware usually requires BHO access to tap into IE. Removing that access is good. White list enables the ability to provide desirable BHOs, such as Google and Yahoo bars, as well as internally developed apps.

Ban their certificates?

[inhalent]

I manage an active directory domain and I've taken care of the major offenders through group policy.

First, I attempt to download the spyware much like any user would. When I get the prompt asking me to approve this installation, I view the certificate that it was signed with and save the certicate to the file.

Next, I add that certificate to the list of banned certicates domain wide. It works great and fixes the problem of people installing spyware without knowing it.

Technical solution useless w/o policy 2 back it up

[Media_Scumbag]

Any time you have to deal with a technical issue that involves user interaction as a component of success, you will need to propose to management, a policy that bolsters the behavioral aspect of the solution; Users need to be made, by management, to have some degree of awareness and culpability for virus and spyware infections.

"Frequent-fires" users will be compelled to learn some digital hygine.

Most large and medium-sized businesses operating today have some sort of policy on sexual harassment/hostile workplace/conflict of interest/Internet and PC usage policy, etc. Generally, users understand that these policies are for eveyone's protection - With ~2000 PCs in the mix... This is definately where you should start... Policy Covers Your Ass.

On the technical side:

1. Router logs, intrusion detection, and sniffing as trending tools to show your boss what's up with traffic.

2. Good, solid desktop images/ app pushes/ GPO's - harden the Registry, Security Policy, individual apps as necessary. Beyond that - when a machine is sufficiently infected, it should be replaced with a re-imaged one --- it can be faster than cleaning, and is a hell of a lot more complete. This also reinforces the notion of users not storing important things locally.

3. Helpdesk tracking software - What users/machines/network segments are continually having the same problems? Does Human Resources need to be the next step for some people?

4. Desktop management software - provide your boss with stats on just what kind of crap is showing up.

5. If you must use/develop software that may enable or even contain spyware, you have a particularly tricky problem that concerns both company policy and IT best practices.

Of course, you know your boss, I don't... How you implement these suggestions is different for everyone. To some, it may seem draconian, to others, quite lax.... To some, budgets will not allow the necessary attention - for others, this kind of focus could perhaps justify a budget increase.

Oh... And consider the broswer's role in the business - what is an acceptable $$ loss for a preventable issue? Have you already spent that?

My $.02