Spyware/Adware Prevention In Large Deployments?

foQ writes "I work in the IS department for a ~2000 networked computer environment across 10 locations. As with most people, we have experienced serious problems with spyware/adware. We have SpyBot and Ad-Aware installed on most computers, but this doesn't prevent the computers from getting these programs and only sometimes properly removes all of them. Is there a tool that we could push out to all the PCs to basically do what anti-virus programs do and block these programs from running and clean them from the computer?"

Webroot Spy Sweeper Enterprise and Lavasoft too

[erick99]

I took a look at enterprise antispyware software for a client and particularly liked Webroot's Spy Sweeper Enterprise product. It provides centralized management and automatic deployment though you can do it manually as well. Definition upgrades as well as version upgrades of the sofware is also automated. Take a look at this page from their website. Lavasoft also has an enterprise product that is pretty good though I think Webroot has a slight edge.

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[SilentChris]

You know, I still don't understand why large-scale deployments like this guy need ANY spyware checks. At my company, the first thing we did when we migrated to XP (from 98) was set every user's permission to limited. We haven't had a *single* noteworthy case of spyware, or viruses, because nothing can really get into the meat of the system (Windows\System32 directory, Program Files directory, etc). If anyone has a complaint, tough. They go through us if they want to install X program.

The only one that I've seen get through (and it's not really spyware) is changing a person's homepage. I'm not sure why IE even allows this. Fortunately, the main reason for switching someone's home page (slamming them with pop-up ads) is kind of diminished with SP2.

My feeling: the vast majority of administrators don't take advantage of the tools MS has provided. The one complaint I've heard ("We use programs that require special permissions, so we can't have staff run as limited users") is bollocks. Do what we do: take a few hours out during a deployment, contact the original software manufacturer (or figure it out in house) and set all the permissions correctly.

And it's not just unknown shops. I recently read an article where Kinko's reimages computers after guests pay to use them. This can take 5-10 minutes. What the hell? Just set a limited user and recreate that one folder. What are their administrators thinking?

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[trick-knee]

proper permissions usage and implementation is really the best way to lock down a machine when you can't rely on the user to keep from inadvertantly installing junk.

and doesn't the great grandparent (first) poster read like astroturf?

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

[plierhead]

I agree. When I worked at CellularOne every user was issued a W2K workstation that was locked down squeaky tight. You had to make a very good case to get access to the web and, even then, there was a hellish long list of sites that were blocked. I didn't see any spyware/malware ever. Users were not allowed to install software nor even printers. You go the application suite that your job required and you were mapped to a printer or two. It worked well and nobody was being deprived with the possible exception of folks that like to use their computer to screw off all day.

I hear completely where you're coming from, but you're only talking about the side that you see.

Locking people down, while it may well be a desirable solution because of the shite that is MS, very often leads directly to lost productivity that affects many more than just "folks that like to use their computer to screw off all day". In many cases, the problem is made worse by unresponsive IT departments who have an inbuilt superiority complex and think all users are jerks. Well, many users are jerks, but guess what - if they can't do their jobs, they cost their employer money, normally in a way that IS is utterly unaware of (and probably couldn't give a shit anyway).

Recent examples at our clients (we provide our system as an ASP, not least to avoid the claws of those freaking MS bastards, but as you can see we are still the victims):

1. Customer A needs to scan and OCR hard copy documents to upload them into our system. Of course they are not allowed to go down and buy a $200 HP scanner with this ability - instead they must wait for IS. IS has set up a $20,000 multi-fucntion scanner, but of course it does not do OCR. Of course there is an OCR program, but of course it is not certified for the current system image. 6 months on, over $30,000 in additional costs incurred - because IS can't provide OCR capability and won't allow a "renegade" install of a $200 HP scanner.
2. Customer B wants to use our system - its an ASP after all, no software to install - but their procedures for gaining web access are so cumbersome that it is simply impractical to give wide access throughout the business. More lost $$$, to us and them.
3. Customer C has their image locked down to Office 97 because of various (no doubt valid) MS problems. Users are unable to handle incoming documents written in later versions of Word. IS has no solution apart from waiting until 2006 for a company-wide upgrade. (Yet, strangely enough, the IT dude has Office 2003 on his OWN desktop)

Re:Webroot Spy Sweeper Enterprise and Lavasoft too

What? I've got a bunch of people synching palms in windows 2000. They are domain users and don't even have accts on the local system. try adding the user to the administrators group for the first sync and then removing them.

you mean...

[maxdamage]

besides freezing them?

Easy and cheap

[Dancin_Santa]

I recommend just sticking a firewall up at the root of your network and blocking all traffic on port 80. It cuts down on web surfing and it puts to death all those stupid ad/spybots that already infest your network.

If someone needs to access a site, have a system where they can request a site to be opened for access. Of course they will need to have a valid reason and you (as network admin) have final say as to letting them have that access or not.

The www is something that can be surfed at home on personal time. Work is for work.

Easy

Two words: Death penalty.

Get spyware, get shot in the head. After two or three pluggings in front of coworkers, NO ONE will get on the net period, or even check e-mail.

Harsh? Yes. Effective? HELL YES!

14" monitors

Every time a user finds spyware on their PC, replace the monitor with a smaller one.
When a user has to make a decision between h4rdc0r3 p0rn and a 6" monitor, they might be a little more proactive in preventing spyware!

Software Restriction Policy (Windows XP)

[yiangouk]

You can apply what is known as a Software Restriction Policy and enforce it strictly so that only approved software is installed on system computers

Re:Easy solution

[mrmagos]

As the security administrator of a small liberal arts college, this switch has probably made the largest impact on desktop support issues. Unfortunately, you can't fully remove IE, but removing shortcuts seems to be good enough to prevent most end users from using it. The other consideration is that many sites use IE-specific extensions, which breaks how Firefox renders the page. For example, we use Exchange with the Outlook web client for student email access and web access. The client is useable with Firefox, but some features, like the check name applet, does not work. A desktop url opened in IE is our workaround... I guess my point is that you really need to review which web apps and sites your users want to access to truly weigh the pros and cons. In our case, the benefits were greater, and we made the transition as gracefully as possible. I know the parent means well, but sometimes the solution isn't that easy.

Re:Easy solution

[Em+Ellel]

Why is a normal user allowed to install programs in the first place?

Because that computer thing is meant to be USEFUL

DeepFreeze = best. prog. EVER.

[Sven+The+Space+Monke]

Oh my god, I'm surprised it took that long to mention DeepFreeze. I LOVE DEEP FREEZE. I only manage 70 comps at a lan center, but if you think office drones are demanding, try gamers. We used to have the comps locked down as tight as possible (well, as tight as you can get with XP pro and still have games/punkbuster be functional), and we still had to do regular weekly maintenance (AV, spyware removal, etc). With DeepFreeze, you can set up a 2 gig thaw partition that allows people to save any files they might need, they can still save files to a network drive, but the C: drive (or any other fixed drive you want) have a persistant image resident. They can save any files they want, make any changes they want, delete anything they want, but on next boot, everything on a frozen drive is back to the way it was before. They can't permanently install any progs, but honestly, when should a user be installing anything anyway? The best part is, I can go about a month between issues that can't be solved by a reboot.

The layered onion approach...

[urlgrey]

Assuming you have to run Windows, first remember there are multiple steps that you'll likely have to take with no silver bullet. Consider these 10 steps as a spring board:

The first step is to put in place policies (where possible) on domain controllers that prohibit both the installation of BHOs and of other software by anyone other than Administrators. Given that many, many bits of spyware (I'll go out on a limb and say most) work as (so called) "browser helper objects", don't let people install them at all. Other software Administrators can install when needed. It's actually fairly easy to do.

Second, where possible, deploy W2K or XP, and...

Then, third, where possible, yank people's admin privs. In virtually all cases, with a bit of good ol' trial-and-error, you can successfully adjust users' permissions to take away admin from most folks. Let's face it, most people SHOULD NOT have the ability to have admin on their own machines.

Fourth, where possible, dump IE.

Fifth, do some short SMALL GROUP tutorials about the evils of spyware and how it works. (I found this to be surprisingly useful for teaching users about passwords.)

Sixth, where possible, dump IE.

Seventh, consider netbooting the workstations and storing users files on fileservers. That way the OS you give 'em is the OS they get and it's always the same every day. (Tell them to think of it as life imitating art as in "50 First Dates", where they get a fresh start every day....)

Eighth, where possible, dump IE.

Ninth, go with something many of the folks here have/will recommend in terms of enterprise-based anti-spyware/anti-virus/anti-?????? software. I used Norton Corporate Edition in a fairly recent gig, and while that particular version didn't check for sypware, there are a number of solutions others are proposing that will. (The Corporate Edition is critical to your sanity--you can manage the AV software on *all* desktops via a central console.)

Last, and not least: dump IE.

------

Did you pay for it?

[killjoe]

So you installed ad aware and spybot on most of 2000 systems. Did you pay the authors of those software any money? Maybe if you paid them some money they could help you roll out massive deployments or modify their software to suit you.

My guess is that like most companies you installed them without paying because you didn't have to fill out forms or break your budget. Now you are looking to pay somebody else for software after using their products for all this time.

Just doesn't seem fair.

Re:Obvious solution

[Frogbert]

No it is not. There is no Microsoft Word for Linux, Open Office comes close and I love it to death but its just not ready yet.

There is no god damned Access for Linux either. Heres a newsflash a lot of companies have database frontends that rely on Access, it may not be the best solution but it is the current system and to change it would cost thousands of dollars.

Like it or Loathe it Visual Basic is used throughout many companies. Please correct me if I am wrong but do any Linux office products work with Visual Basic?

These are just a few of the many examples why you couldn't just switch to Linux like that. Those are just the software factors too, forget user training, the cost of changing hardware that isn't supported to Linux etc.

What about thousands of pissed off users because they can't figure out why the hell the start button looks different or why text on the screen doesn't behave as expected.

I'm not trolling, I like Linux I think it is great for the home and for a hobby but its just not ready for the mainstream. Perhaps in a few years, but not today.

Deny write access to the registry. Whitelist BHOs

[Wiseleo]

My solution is simple.

No user can write to the registry in the common spyware places. All access to write to the ares of the registry that is commonly attacked by spyware is removed by GPO. That is - no unapproved shell extensions, no BHO add access, no new Explorer bars, no ability to modify the Winsock32 stack, no install priveleges. All apps are deployed through GPOs. There is a white list of approved ActiveX in general and BHO controls.

Spyware usually requires BHO access to tap into IE. Removing that access is good. White list enables the ability to provide desirable BHOs, such as Google and Yahoo bars, as well as internally developed apps.

Ban their certificates?

[inhalent]

I manage an active directory domain and I've taken care of the major offenders through group policy.

First, I attempt to download the spyware much like any user would. When I get the prompt asking me to approve this installation, I view the certificate that it was signed with and save the certicate to the file.

Next, I add that certificate to the list of banned certicates domain wide. It works great and fixes the problem of people installing spyware without knowing it.