Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Security Operating Systems Software Spam Windows

Spyware/Adware Prevention In Large Deployments? 782

foQ writes "I work in the IS department for a ~2000 networked computer environment across 10 locations. As with most people, we have experienced serious problems with spyware/adware. We have SpyBot and Ad-Aware installed on most computers, but this doesn't prevent the computers from getting these programs and only sometimes properly removes all of them. Is there a tool that we could push out to all the PCs to basically do what anti-virus programs do and block these programs from running and clean them from the computer?"
This discussion has been archived. No new comments can be posted.

Spyware/Adware Prevention In Large Deployments?

Comments Filter:
  • by erick99 ( 743982 ) <homerun@gmail.com> on Monday October 18, 2004 @09:49PM (#10561462)
    I took a look at enterprise antispyware software for a client and particularly liked Webroot's Spy Sweeper Enterprise product. It provides centralized management and automatic deployment though you can do it manually as well. Definition upgrades as well as version upgrades of the sofware is also automated. Take a look at this page [webroot.com] from their website. Lavasoft also has an enterprise product that is pretty good though I think Webroot has a slight edge.
    • by SilentChris ( 452960 ) on Monday October 18, 2004 @10:26PM (#10561764) Homepage
      You know, I still don't understand why large-scale deployments like this guy need ANY spyware checks. At my company, the first thing we did when we migrated to XP (from 98) was set every user's permission to limited. We haven't had a *single* noteworthy case of spyware, or viruses, because nothing can really get into the meat of the system (Windows\System32 directory, Program Files directory, etc). If anyone has a complaint, tough. They go through us if they want to install X program.

      The only one that I've seen get through (and it's not really spyware) is changing a person's homepage. I'm not sure why IE even allows this. Fortunately, the main reason for switching someone's home page (slamming them with pop-up ads) is kind of diminished with SP2.

      My feeling: the vast majority of administrators don't take advantage of the tools MS has provided. The one complaint I've heard ("We use programs that require special permissions, so we can't have staff run as limited users") is bollocks. Do what we do: take a few hours out during a deployment, contact the original software manufacturer (or figure it out in house) and set all the permissions correctly.

      And it's not just unknown shops. I recently read an article where Kinko's reimages computers after guests pay to use them. This can take 5-10 minutes. What the hell? Just set a limited user and recreate that one folder. What are their administrators thinking?
      • You know, I still don't understand why large-scale deployments like this guy need ANY spyware checks. At my company, the first thing we did when we migrated to XP (from 98) was set every user's permission to limited. We haven't had a *single* noteworthy case of spyware, or viruses, because nothing can really get into the meat of the system (Windows\System32 directory, Program Files directory, etc). If anyone has a complaint, tough. They go through us if they want to install X program.

        This is so true. I wor

      • Sometimes management is just clueless and will buckle to user's demands to allow them ot have admin access. Sometimes, they tun specialised programs that will not NOT run properly without admin. Espically in the case of engineering apps, there sometimes is no alternative, this is the only thing that does what it does.

        I agree as a general princliple: Users should have the minimum amount of access they need to do their job. Unfortunately, that is sometimes full administrative access.
        • It's gotta be said here: but programmers love to operate, program, debug and test as QSECOFR/admin. I network admin, and I don't run as root on my linux box, have limited domain admin rights on XP normally (like password reset) and use a remote desktop to a domain controller for necessary tasks (about 10 minutes a day).

          First thing that happens when we hire a new developer ... "What's the qsecofr password, what the Administrator password, I need ALLOBJ access, i've written the program using Active-X that ne
      • by WoodstockJeff ( 568111 ) on Monday October 18, 2004 @11:38PM (#10562138) Homepage
        At my company, the first thing we did when we migrated to XP (from 98) was set every user's permission to limited.

        Works great, until you run into something like Palm software, which won't cooperate with permissions. I've tried several methods to make it possible to sync a Palm Pilot with Outlook, and none work, if the user doesn't have administrator privileges on the computer. Apparently, some of the Palm conduits try to write to directories that aren't available to mere users, and I haven't been able to track all of them down.

        And it's the executives that have the Palms, so not letting them work isn't a viable option...

        • by Anonymous Coward on Tuesday October 19, 2004 @12:54AM (#10562547)
          What? I've got a bunch of people synching palms in windows 2000. They are domain users and don't even have accts on the local system. try adding the user to the administrators group for the first sync and then removing them.
        • That is the bulshitiest excuse in the history of mankind.

          You explain to the suit that you can't install the software because that would make your network a virus/spyware testbed.

          If the suit inisist have him put it in writting exhonerating you from any responsibility and financial damage the company may suffer .

          It always amazes me the deference that some people have for somebody wearing a suit and with an important sounding job description.

          Your job is to make that network safe, in spite of the owners of
        • Works great, until you run into something like Palm software, which won't cooperate with permissions.

          This came up in a /. discussion months ago, and I asked my boyfriend -- who administrates WinXP and 2000 machines where he works -- if he had found a solution.

          I'll look through my replies and repost it. He said that it's a bit tricky, but it can be done.
      • by permanentE ( 543026 ) on Monday October 18, 2004 @11:42PM (#10562164) Homepage
        The attitude of all you LAN Admins in here really pisses me off, "it's easy, lock 'em down, don't give 'em admin, take away all their PC privilages". It's easy for you to say, you have admin! You can install any software you need.

        I wonder how much productivity you lock-'em-down admins are costing the economy as a whole. You wanna know something? LAN administration isn't the most important part of a company, you aren't making the company any money. Your job is to help us users be more productive in doing our job, it isn't to cause you the least hassle.

        How does it help the company when everytime I need to install some software to do my job I have to call you up and waste a couple of days for it to get aproved by the all-mighty-admin? How does it help the company when I can't immediately respond to a customer!?

        OK, so there are stupid users, but I don't care about them, they don't affect me, I'm just trying doing my job. Leave me alone god damnit!

        /rant

        • by Mod Point Sink ( 811047 ) on Monday October 18, 2004 @11:48PM (#10562214)
          Back in the mainframe days, they were a priesthood--users could only act with the data through the intercession of them and their terminals. The PC changed all that, and they've spent the last couple of decades stuffing the toothpaste back into the tube.

          Microsoft has greased the wheels with its exploit ridden, high maintenance software, creating security problems of epic proportion that are helping justify the return to the "glass house" in the eyes of management, who worries about things like HIPAA, Sarbanes Oxley, EU privacy directives, Gramm Leach Bliley, and all that--and creating a class of well-paid overseers to manage it.

          The users are mere pawns in the game.

        • The attitude of all you LAN Admins in here really pisses me off, "it's easy, lock 'em down, don't give 'em admin, take away all their PC privilages". It's easy for you to say, you have admin! You can install any software you need.

          That's because we know what we're doing. And, if we cause problems, we're the ones that have to fix it.

          How does it help the company when everytime I need to install some software to do my job I have to call you up and waste a couple of days for it to get aproved by the all-mighty-admin? How does it help the company when I can't immediately respond to a customer!?

          Who do you think is responsible for keeping track of the licenses for that software you want to install? Given admin access, how many users do you think will pirate software? (Answer: a lot). How many users will knowingly or unknowingly install spyware? (Answer: a majority) How many will get a virus? (Answer: A few. But those few will impact the entire company.) And, when they do all of this, and it takes 1-2 days to clean up their computer, how many users will understand that it's their fault and not blame the IT department? (Answer: None.)

          Your job is to help us users be more productive in doing our job, it isn't to cause you the least hassle.

          I suppose you feel the same way about your Purchasing Department (Why should I have to get a PO before ordering something? How does it help the company when I can't immediately order something I need?). Our job is not to help you be more productive in your job. It's to help the company be more productive. You're just a tiny little part of the equation.

          OK, so there are stupid users, but I don't care about them, they don't affect me, I'm just trying doing my job.

          If there truly is someone who is (a) knowledgeable of computers, (b) appropiately cautious of installing unknown or unlicensed programs, (c) reasonable enough to not blame IT for all of his computer woes, and (d) wants administrator access (and his manager doesn't care) - then I'll usually give it to them. In most cases, this guy also becomes my go-to guy for the department - which saves me from visiting for little issues.

          If you truly can't do your job because of restrictive policies (note that installing WeatherBug and AIM does not constitute doing your job) then you should explain your situation to your admin, your manager, and your admin's manager. If nothing gets done, then noone thinks you need admin access to do your job. Live with it.

        • bollocks. if you need it, it's already there: this is why we have a standard desktop client that's rocksolid-stable. just because you're pissed off because you can't install webshots, don't assume that there's not a valid and sound reason to lock down clients.
        • The test is if the loss of productivity due to lockdowns is overall LESS than the loss of productivity due to virus/malware/spyware plus corporate danger due to piracy plus extra admin time to support all kinds of whacked-out PC's.

          If having them locked down costs the company less, then guess what - you get to put in change requests for that software install.
      • If businesses used your logic, there would be no PCs. We would still all be running green screens off of mainframes. It is those terrible users that found they could do thier job 5 times faster by going around IT and running apps on a 'toy' (PC) that has gotten us as far as we are. At least 2/3 of the Administrators that I have run into are not competent, and are simply not well versed enough in business or technology to determine what software is necessary and what is not. The comment about Kinko's is
      • by ralphus ( 577885 ) on Tuesday October 19, 2004 @12:21AM (#10562410)
        Different companies have different political environments and different requirements for user permissions. Not everyone can be as locked down as you are because of various business requirements. Business requirements always trump security requirements, political requirements (like CEO "needs" admin rights) often trump security requirements.
      • You know, I still don't understand why large-scale deployments like this guy need ANY spyware checks.

        Because not every company is employing a bunch of idiots. Some users actually NEED to do things that are out of the ordinary.

        If anyone has a complaint, tough.

        IT's job is to secure the computers, but not just for the sake of security. It's to secure them so that people can do work. If you only care about one part of your job, that's a really good way to lose the rest of it.

        I recently read an article w
    • by anakin357 ( 69114 ) on Monday October 18, 2004 @10:27PM (#10561775) Homepage
      You need to stop them before they are able to install one peice of code on the system.

      1). You can do a few things, namely locking the computers down using the Microsoft Policy Editor (as I am sure you are aware of it's existance).

      2). Make sure that no user has administrative access, and that downloading / installing programs is not allowed - if they need programs, that is what their roaming profile is for.

      3). Also keeping a image available of every system so that you can restore to a known good working point

      4). Invest in a decent SAN and keep the roaming profiles there, ALL documents should be kept on the SAN / roaming profile so that re-imaging the computers when they do get things on them does not cause valuable work to be lost.

      Perhaps suggest hiring a freelance IT guy who knows how to do such things if you do not, there are plenty here who need the work.

      If you can get to the control panel, display settings, look in the C: drive, change IE options, etc, you're doing things wrong, it's not locked down enough.

      Yes it's a pain for the users, but it does alleviate the potential of corporate espionage (don't beleive it doesn't exist, it most certainly does) and also spyware/adware/etc screwing up your computers.

      These are just the basics but it's worked fine for the company I work for, after some user adjustments it's actually not that bad. The only thing you loose is the storage on the clients, and possibly a big investment in a SAN ranging from 1TB on up, which can be moderately expensive.
  • you mean... (Score:5, Informative)

    by maxdamage ( 615250 ) * on Monday October 18, 2004 @09:49PM (#10561463) Journal
    besides freezing [faronics.com] them?
    • by Sven The Space Monke ( 669560 ) on Monday October 18, 2004 @10:08PM (#10561631)
      Oh my god, I'm surprised it took that long to mention DeepFreeze. I LOVE DEEP FREEZE. I only manage 70 comps at a lan center, but if you think office drones are demanding, try gamers. We used to have the comps locked down as tight as possible (well, as tight as you can get with XP pro and still have games/punkbuster be functional), and we still had to do regular weekly maintenance (AV, spyware removal, etc). With DeepFreeze, you can set up a 2 gig thaw partition that allows people to save any files they might need, they can still save files to a network drive, but the C: drive (or any other fixed drive you want) have a persistant image resident. They can save any files they want, make any changes they want, delete anything they want, but on next boot, everything on a frozen drive is back to the way it was before. They can't permanently install any progs, but honestly, when should a user be installing anything anyway? The best part is, I can go about a month between issues that can't be solved by a reboot.

      • by hazem ( 472289 ) on Monday October 18, 2004 @10:29PM (#10561793) Journal
        I once set up a similar system using a small linux installation.

        1) set up windows on half the drive
        2) install a small version of linux on the other partition
        3) make an image of the windows drive that is stored on the linux side
        3) I set up some rudimentary scripting that worked with lilo boot options.

        Normal operation is to boot to Linux, then extract the windows image over the windows partition. It then reboots. You can feed lilo an option to override its default boot option and go directly into windows. On next reboot, you go back into linux.

        I even set flags where you can turn off the auto-rebuilding, set it for daily rebuilding only (first boot of the day), or make it strictly manual "your computer is goofy? Okay, reboot, and select rebuild. Get some coffee and come back".

        As another poster said, you do have to turn off all the auto-updates because they'll continually trigger. But it is so nice to not have to tend to the machines until you want to do those updates.

        I don't have the setup on a website, but if you're interested, send an e-mail to username dfrakes at the new google email service. I'd be glad to send my scripts along along.

        We had a lab of win98 boxes - all PII-300's or less that would rebuild their 1.5GB windows image in about 11 minutes. I used tar/gzip for the image, but it can work just as well with dd/gzip and may even go faster. In that case, the smaller your windows drive, the better your performance will be.

        It was great in an academic computer lab where the users shouldn't be messing with things!
        • Re:re-imaging (Score:3, Informative)

          by tomhudson ( 43916 )
          Another thing you can do to make the whole restore process quicker is, before creating the original image, write a program to fill up the unused space on the source drive's file system with huge files containing just a bunch of 0x00s (nulls), then, when the file system is full, delete those files.

          Now you're ready to do a dd if=/dev/source_partition of=my_image.img

          When you zip the resultant img, it will compress much more because, instead of random data on the unused parts of the drive, it's just a bunch o

        • by hazem ( 472289 ) on Tuesday October 19, 2004 @06:52AM (#10563571) Journal
          I'm going to try posting this and hope the lameness filters don't get me.

          I hope this helps! If you find any mistakes, please feel free to contact me. If you find it really useful, I'd love to hear about it.

          I'd release this under the GPL, but darn, it just doesn't seem like there's enough there to bother. I mean... can you really GPL some config scripts?

          I found it helpful to configure the Linux stuff on one computer, then using a bootable Linux CD (I didn't want the local box slowed down by unnecessary services like networking), I put it on a server, called lin.tgz. I then booted on another machine with the bootable cd, and applied it to the /dev/hda2. If that was mounted to /lin, you'd then need to do a "chroot /lin" and then run /sbin/lilo to get lilo installed.

          Good luck!

          Linux Rebuilder
          By Dale Frakes
          Write-up version 0.1, 19 October 2004, 4:17AM

          This set of tools helps automate the process of keeping a Windows box with a consistent image. It works similarly to "Deep Freeze" by storing an image of the Windows system and all its software on a Linux partition. The computer boots into Linux, which restores this image to the Windows partition (overwriting whatever the user did before). It then reboots into Windows.

          ** Installing/Setup **
          The scripts as I have written them use tar/gzip to make the image of the Windows partition. This is because I was working on Win98 boxes that use FAT32 (which Linux can easily read and write). Linux does not yet reliably write NTFS, so to use this on an NTFS based Windows system, such as Windows 2000, or Windows XP, the scripts will need to be rewritten using dd/gzip rather than tar/gzip.

          Here are the basic steps:
          1) Install Windows on your computer. If you are using one drive, partition that drive in half (or, if you know how much space you'll need, just a little more than that). Install all your applications and customize the Windows "image" so that it is exactly the way you want it to be each time you reboot.
          2) Install some Linux version on the other half. Keep it small, since you won't need networking, X, or much else.
          3) Create a /rebuilder directory and place the following files in that directory: getimage, putimage, rebuilder, win_reboot
          4) Modify /etc/rc.local to point to /rebuilder/rebuilder
          5) Modify /etc/lilo.conf to match the menu options in my lilo.conf. Run lilo.
          6) Create a /images directory to store the image.

          For FAT32 systems using tar/gzip, you'll need to add an entry to your /etc/fstab to mount /dev/hda1 to /win.

          ** Useful Points **
          There are two main keys to why this thing works pretty well. First, lilo can invoke the same kernel with different options. The menu options I place in lilo.conf do this. The other key is contained in the win_reboot file. By invoking lilo with the -R option followed by a boot label, (eg. "lilo -R Windows"), lilo will override its default boot option on the next reboot.

          There are two other nice features that work nicely. The first one is that while the kernel is loading, the keyboard cannot interrupt the process. This is great for keeping someone from hijacking the system. The second is that by putting the line "password=""" in lilo.conf will password protect the boot options that do not have a "bypass" in them. This allows the user to do some things, like boot directly into Windows, or even rebuild the Windows partition, but not make a new image of the Windows partition.

          If you're going to do a dd/gzip option, you'll want to wipe your Windows partition's empty space. From the documentation for g4u, there is a link to a program called nulfile, which will fill up the empty space with 0's. http://www.feyrer.de/g4u/

          (If you like imaging, check out g4
  • Don't let'em in. (Score:3, Informative)

    by gustgr ( 695173 ) <.rondina. .at. .gmail.com.> on Monday October 18, 2004 @09:50PM (#10561473) Homepage
    What about blocking or filtering the spywares and adwares at your proxy? If it don't get into the network, it will not affect your computers.
  • the newer AV's do (Score:5, Informative)

    by Nate Fox ( 1271 ) on Monday October 18, 2004 @09:50PM (#10561478)
    I usually dont reccomend upgrading antivirus programs to my clients, but the latest round of 2005 versions basically have adware in with their virus defs. Not sure about the corporate level stuff, but almost all the major consumer AVs do.
  • by Anonymous Coward
    Seriously. I am not trolling. It works for me.

    Ever since I have installed SP2, Ad-Aware from Lavasoft has not found one spyware program -- even after installing the worst offending sites - porn sites.

    • by Anonymous Coward
      even after installing the worst offending sites - porn sites.

      Thank you for taking the risk of testing that so that others won't have to.

  • Symantec (Score:3, Insightful)

    by cuteseal ( 794590 ) on Monday October 18, 2004 @09:51PM (#10561487) Homepage
    We use Symantec Antivirus and Desktop Firewall - seem to do the trick...
  • by Dancin_Santa ( 265275 ) <DancinSanta@gmail.com> on Monday October 18, 2004 @09:51PM (#10561489) Journal
    I recommend just sticking a firewall up at the root of your network and blocking all traffic on port 80. It cuts down on web surfing and it puts to death all those stupid ad/spybots that already infest your network.

    If someone needs to access a site, have a system where they can request a site to be opened for access. Of course they will need to have a valid reason and you (as network admin) have final say as to letting them have that access or not.

    The www is something that can be surfed at home on personal time. Work is for work.
    • Re:Easy and cheap (Score:4, Insightful)

      by Anonymous Coward on Monday October 18, 2004 @09:56PM (#10561546)
      ...because some IS people just need to exercise every little bit of power they can.

      Others realize that computers are tools and that disabling web access makes them worse tools. They know that their job is not to find ways to make their own jobs easier, it is to make other people's jobs easier.

      Kudos to the story submitter for being one of the type that wants to do his job right.

      Dancin Santa, fuck you and all others like you.
    • You are absolutely correct. And then, board your magical Unicorn for the Leprechan base on the Dark Side of the Moon, where you will eat naught but Space Wine and Space Cheese!
    • Re:Easy and cheap (Score:5, Insightful)

      by gregmac ( 629064 ) on Tuesday October 19, 2004 @12:50AM (#10562529) Homepage
      The www is something that can be surfed at home on personal time. Work is for work.

      Many other people have pointed out the value of being able to surf sites for work-related information (booking hotels, looking at competition, finding reference materials, finding suppliers/products, finding potential customers, posting job listings, ...).

      There are other ways to prevent misuse as well, rather than blocking port 80 - block specific sites (ie, hotmail) and/or use content filtering to stop people from looking at pr0n while at work. Keep in mind that these can be detrimental - at a health care related job, for example, there will be legitimate reasons to look up legitimate sites that will be blocked by content filtering.

      One thing that has been shown (I know I've read articles about this before, unfortunately I can't find referencse) is denying people "personal time" at works leads to an increase in sick days and other time off. Basically, if you don't let someone spend half an hour doing something personal while "at work", then they end up just taking an entire day off to get what they need done. This is my take on the matter, and I don't block any sites on our connection. (and no, I don't consider pr0n to be a legitmate "personal" use of time, but we're also a small company and no one really has much of a private office to use..)
  • Easy (Score:5, Funny)

    by Anonymous Coward on Monday October 18, 2004 @09:52PM (#10561491)
    Two words: Death penalty.

    Get spyware, get shot in the head. After two or three pluggings in front of coworkers, NO ONE will get on the net period, or even check e-mail.

    Harsh? Yes. Effective? HELL YES!
  • Obvious solution (Score:2, Informative)

    by glomph ( 2644 )
    Stop dedicating your life to subsidising Microsoft's hegemony. Move people to a good, maintained Linux Distro. Yes, it is possible.
    • by Frogbert ( 589961 ) <<frogbert> <at> <gmail.com>> on Monday October 18, 2004 @10:26PM (#10561767)
      No it is not. There is no Microsoft Word for Linux, Open Office comes close and I love it to death but its just not ready yet.

      There is no god damned Access for Linux either. Heres a newsflash a lot of companies have database frontends that rely on Access, it may not be the best solution but it is the current system and to change it would cost thousands of dollars.

      Like it or Loathe it Visual Basic is used throughout many companies. Please correct me if I am wrong but do any Linux office products work with Visual Basic?

      These are just a few of the many examples why you couldn't just switch to Linux like that. Those are just the software factors too, forget user training, the cost of changing hardware that isn't supported to Linux etc.

      What about thousands of pissed off users because they can't figure out why the hell the start button looks different or why text on the screen doesn't behave as expected.

      I'm not trolling, I like Linux I think it is great for the home and for a hobby but its just not ready for the mainstream. Perhaps in a few years, but not today.
  • Actually (Score:4, Interesting)

    by apoplectic ( 711437 ) on Monday October 18, 2004 @09:52PM (#10561498)
    but this doesn't prevent the computers from getting these programs

    I believe Spybot does protect you ("immunize") from around 2000 different pieces of software, if you let it.
  • See: here for Pest Patrol [pestpatrol.com], and here for Spy Sweeper [webroot.com]. There was an article this month in Information Security Magazine [infosecuritymag.com].
  • Some hints (Score:2, Informative)

    by Anonymous Coward
    * Don't let the users work with an admin account
    * Use a proxy
    * Use Firefox instead of IE
    • Re:Some hints (Score:3, Insightful)

      by Xaoswolf ( 524554 ) *
      Well, Win9X doesn't have admin accounts, where I used to work, we had hundreds of PC's running 95, and this was in 2003.

      Top bras simply did not want to pay to replace those computers.

      As far as firewalls go, things still slip through, and once they do, what then?

      And firefox only stops most automatic installs, it still won't keep Joe Idiot from downloading Bonzia Buddy...

  • I have it (Score:2, Funny)

    by ryanmfw ( 774163 )
    Ripoff Technologies-

    We have all of the software you need! Just tell us what you want the software to do, give us the name of open source software that already does the task, and in three weeks we will have a brand new software package *just* for you, for the low low price of $50! Unfortunately, our website is down because of high traffic and hackers. Still, you can view videos of the as-of-yet-non-existant software here [nowhere].

  • by Anonymous Coward on Monday October 18, 2004 @09:53PM (#10561508)
    Every time a user finds spyware on their PC, replace the monitor with a smaller one.
    When a user has to make a decision between h4rdc0r3 p0rn and a 6" monitor, they might be a little more proactive in preventing spyware!
  • by yiangouk ( 721875 ) on Monday October 18, 2004 @09:55PM (#10561526) Homepage
    You can apply what is known as a Software Restriction Policy [microsoft.com] and enforce it strictly so that only approved software is installed on system computers
  • yeah (Score:3, Informative)

    by UserChrisCanter4 ( 464072 ) on Monday October 18, 2004 @09:56PM (#10561543)
    I'm not totally clear on what these machines are used for (custom web apps w/ heavy activeX use? Random surfing?), but assuming you haven't heavily focused on IE with custom software, Mozilla/Firefox plus a proper permissions system that denies access to IE and program installation should prevent 95% of the infections.

    Top it off with a local DNS that nulls known ad sites and spyware supplies, and you should be good to go.
  • by willith ( 218835 ) on Monday October 18, 2004 @09:57PM (#10561549) Homepage
    Sounds like the same problem we face--4k client PCs in five locations--and we don't have too good of a solution.

    We're currently taking a two-pronged approach. First, for the big baddies like Gator or Bonzi, we use Altiris Notification Server [altiris.com] to find them and block their execution. This works tolerably well, but it's a reactive process--for me to block a spyware app, I have to know about it, and it has to be something of which I can deny exeuction (so, no browser helper objects).

    Second prong is a managed install of Spybot S&D--we're enterprise licensed and maintain our own update server. We stick Spybot S&D in our base loads and force it to run on a schedule, automatically updating itself and running non-interactively. This catches lots, but can sometimes interfere with the users' work.

    There is also an ongoing user education effort, consisting of mandatory training and constant reminders about how spyware works and how one gets infected, but that's about as hopeless as bailing the ocean with a kid's toy bucket. I'm long past the point of hoping that the general user population can learn about how not to get infected with spyware; I'm resigned to spending the rest of my days hearing about how someone in Marketing was hitting the gambling sites at lunch and picked up yet another malware app.
  • by gfecyk ( 117430 ) on Monday October 18, 2004 @09:59PM (#10561563) Homepage Journal
    Proven on two medium-sized networks I maintain for clients. No spyware in two years and I don't even bother with up-to-the-minute patches. Just patch for serious problems or when a service pack comes out.

    Limited User accounts also provide the best AV on Windows, second only to MS Office SP3 and later which block bad e-mail attachments, bad macros, etc by default.

    Finally, stand-alone NAT routers that act as firewalls keep worms out.

    Worried that your software won't work as a limited user? Harass the vendor. Go to their competition. Loosen up security on individual files and folders (hence, suggesting XP Pro instead of XP Home). Test, test, and test some more. You'll save hundreds if not thousands on annual AV subscriptions and catch new threats before the AV vendors (and Spybot / Ad-Aware) can.
  • Heretical advice??? (Score:3, Informative)

    by vudufixit ( 581911 ) on Monday October 18, 2004 @10:01PM (#10561577)
    I did some spyware experiments of my own one day, to "ferret out" where some of this stuff came from. I did a clean install of XP on a machine, and carefully documented what I did, and the resulting changes in cookies, commit charge, etc. The results were interesting - I visited a lot of adult porn sites - literally just combining verbs and adjectives, and got very little in the way of spyware. I went to a particularly vicious site - default-homepage-network.com, and instantly got hit with a bunch of popups and three items immediately went into add/remove programs. Then I installed the "standard" kazaa - installing spyware programs was part of the initial installation!!! Commit charge went from about 100 megs right after a bootup, to 212 after installing Kazaa. Then, I wiped the machine out and installed XP and then SP2. The first things I tried - porn sites and default-homepage-network, didn't do anything - only Kazaa resulted in spyware, because installing it yourself is part of the package. When I clean out clients' PCs, I do the following: 1. Safe mode, command prompt - delete everything I recognize as a spyware .dll or .exe, and I rename anything I believe may be a system file. 2. Normal mode, uninstall any program with "rebates" "shopping" "bargain" etc... 3. Install and run Adaware, Spybot, Hijack This, CW Shredder, and Spyware Blaster. 4. Install SP2 if it's a recent machine - SP2 tends to crush PCs that have been running for a while. 5. Scold them for downloading music, and remind them that not only will they have to pay me if their internet habits cause reinfection, but the greedy RIAA bastards may even come knocking one day. I agree that most 2004 and up versions of Symantec and McAfee include anti-spyware protection, as well. Not too impressed with Webroot Spysweeper - it's a rather ponderous product. Firefox is a damn good idea, too. And of course, stay away from "Spyware Stormer"
  • FFox (Score:3, Interesting)

    by MadEmperor ( 823313 ) on Monday October 18, 2004 @10:06PM (#10561612)
    I love how all the FFox/Mozilla comments get a score of 1.

    The truth of the matter is Mozilla does indeed prevent quite a bit of malware from entering your computer.

    Oh well, I'm sure this will be modded 1 - Redundant
  • by urlgrey ( 798089 ) on Monday October 18, 2004 @10:10PM (#10561642) Homepage
    Assuming you have to run Windows, first remember there are multiple steps that you'll likely have to take with no silver bullet. Consider these 10 steps as a spring board:

    The first step is to put in place policies (where possible) on domain controllers that prohibit both the installation of BHOs and of other software by anyone other than Administrators. Given that many, many bits of spyware (I'll go out on a limb and say most) work as (so called) "browser helper objects", don't let people install them at all. Other software Administrators can install when needed. It's actually fairly easy to do.

    Second, where possible, deploy W2K or XP, and...

    Then, third, where possible, yank people's admin privs. In virtually all cases, with a bit of good ol' trial-and-error, you can successfully adjust users' permissions to take away admin from most folks. Let's face it, most people SHOULD NOT have the ability to have admin on their own machines.

    Fourth, where possible, dump IE.

    Fifth, do some short SMALL GROUP tutorials about the evils of spyware and how it works. (I found this to be surprisingly useful for teaching users about passwords.)

    Sixth, where possible, dump IE.

    Seventh, consider netbooting the workstations and storing users files on fileservers. That way the OS you give 'em is the OS they get and it's always the same every day. (Tell them to think of it as life imitating art as in "50 First Dates", where they get a fresh start every day....)

    Eighth, where possible, dump IE.

    Ninth, go with something many of the folks here have/will recommend in terms of enterprise-based anti-spyware/anti-virus/anti-?????? software. I used Norton Corporate Edition in a fairly recent gig, and while that particular version didn't check for sypware, there are a number of solutions others are proposing that will. (The Corporate Edition is critical to your sanity--you can manage the AV software on *all* desktops via a central console.)

    Last, and not least: dump IE.

    ------
  • by killjoe ( 766577 ) on Monday October 18, 2004 @10:19PM (#10561717)
    So you installed ad aware and spybot on most of 2000 systems. Did you pay the authors of those software any money? Maybe if you paid them some money they could help you roll out massive deployments or modify their software to suit you.

    My guess is that like most companies you installed them without paying because you didn't have to fill out forms or break your budget. Now you are looking to pay somebody else for software after using their products for all this time.

    Just doesn't seem fair.
  • Is this a company? (Score:3, Insightful)

    by duffbeer703 ( 177751 ) * on Monday October 18, 2004 @10:25PM (#10561754)
    If it is, the solution is simple:

    - Obnoxious, nazi-like filtering at the proxy level.

    If people want to surf or play games, suggest they seek another job.
  • Lock 'em Down (Score:3, Interesting)

    by MBCook ( 132727 ) <foobarsoft@foobarsoft.com> on Monday October 18, 2004 @10:27PM (#10561776) Homepage
    Yes, you can run ad-aware and whatnot, but there is a better way.

    Do all the computers (or even most) really need to be able to install applications and such? Is that really neccessary? Lock them down! Lock them down TIGHT so the users can't install stuff. Lock out all internet access (through a proxy or something) for any computer/user that doesn't need it for their job. Use something like Ghost or DeepFreeze to restore computers nightly/weekly/whever there is a problem. That way, even if something DOES get installed, it will be gone when the computer is re-imaged over the LAN (overnight, perhaps).

    And don't forget the users. Not only do they need to be educated, but put some kind of penalties on them for getting spyware installed. Give them one "warning", then after that start doing things. They lose internet (if possible), they get docked a little pay/vacation time/sick days, something. You'd obviously have to talk to a lawyer to make sure it's legal and such, but when it becomes the user's problem too, they'll care a lot more. Another great suggestion is this. Is there some kind of message of the day or builten board or something? Post the names of repeat offenders on it for a few days after each incedent. That kind of publicity can work too (again, make sure it's worded in a way that can't get you in trouble, check with the law guys).

    Through removing unneccessary premissions, restoring the OS, and just plain old humiliation... you can make your spyware life easier.

    • Man... (Score:3, Insightful)

      by msimm ( 580077 )
      I was with you right up until you said penalties. How many work environments will let the IT department waste time and valuable (well, sometimes) resources with petty penalties? I'm all for limiting what a user can do, after that its just them and god (and their boss of course). :)
  • Thin Clients (Score:3, Informative)

    by fire-eyes ( 522894 ) on Monday October 18, 2004 @10:29PM (#10561796) Homepage
    If your users must have windows workstations, set them up with thin clients via PXES. Have them connect to MS terminal servers (2003 ent preferred).

    Single point of control (at least per server). Save insane ammounts of money.
  • xterm (Score:3, Insightful)

    by sPaKr ( 116314 ) on Monday October 18, 2004 @10:39PM (#10561846)
    You need central computing. One (or few) big servers that kept clean and well managed. Then make the remote clients dumb, locked down, and netbooted if possible. So basically what you want is xterminals. That run a local citirix client to access winblows apps and your done. This doesnt fix the sales departement laptops, but then again nothing will, its best to put those on a rotating plan where sales guys drop off the laptop ever few weeks for prevenetive maintaince (wipe the machines, and install the latest updates). Also make sure you rotate the laptops, this prevents people sticking their own crap on them. USB keys can work well for storing local stuff, if vpn protected netshares are not available. In the end you will spend man years protecting invididual machines, while protecting one machine is much more feasable. In the 80s we ran away from network computing becouse networks were very unstable, slow. Now that ethernet is more reliable, and 100Mb or faster is the norm, network computing makes much more sense.
  • spywareblaster (Score:4, Informative)

    by mpost4 ( 115369 ) * on Monday October 18, 2004 @10:42PM (#10561863) Homepage Journal
    It selectivly breaks activeX to prevent spyware. I use it on my only windows box. Failling that, I have linux on 2 systems and Mac OS X on the other two. And on my work box which is dual boot I have spywareblaster on the windows part.
  • by senatorpjt ( 709879 ) on Monday October 18, 2004 @10:52PM (#10561915)
    When someone's computer gets fucked up, just set a firewall on their IP so they can only access a list of websites, and block their email so they can't receive any executable attachments. That'll teach them.

    There's no reason for most people to need access to the whole internet at work, other than work would really suck if I actually had to work instead of sitting around and reading Slashdot.

  • www.pestpatrol.com (Score:3, Informative)

    by sid crimson ( 46823 ) on Monday October 18, 2004 @11:09PM (#10562000)
    Pest Patrol. There is a 30 day / 25-user trial available online. Pest Patrol [pestpatrol.com] They were recently purchased by Computer Associates, and this product will be rolled into their Secure Content Manager package in a year or so.

    -sid
  • by Wiseleo ( 15092 ) on Monday October 18, 2004 @11:17PM (#10562034) Homepage
    My solution is simple.

    No user can write to the registry in the common spyware places. All access to write to the ares of the registry that is commonly attacked by spyware is removed by GPO. That is - no unapproved shell extensions, no BHO add access, no new Explorer bars, no ability to modify the Winsock32 stack, no install priveleges. All apps are deployed through GPOs. There is a white list of approved ActiveX in general and BHO controls.

    Spyware usually requires BHO access to tap into IE. Removing that access is good. White list enables the ability to provide desirable BHOs, such as Google and Yahoo bars, as well as internally developed apps.
  • EnCase Enterprise (Score:3, Interesting)

    by funk49 ( 416343 ) on Monday October 18, 2004 @11:35PM (#10562120)
    Depending on your budget, try Encase Enterprise by Guidance Software. EnCase is the forensic program/application used by the US Govt and also by most of local and foreign law enforcement investigators as well.

    The Enterprise version takes forsensics a step further, utlizing a client listener app which runs on the desktop and after establishing a baseline of permitted apps, can be used to detect and counter malicious apps running on the LAN and WAN as well as imaging drives realtime for investigative purposes.

    Investigations have been performed from halfway around the world with the click of a button. Another selling point to the PHB's is that it can be used for HR investigations as well, making it an easy ROI for most companies.

    http://www.encase.com/ [encase.com]

  • windows admins (Score:4, Insightful)

    by codepunk ( 167897 ) on Monday October 18, 2004 @11:39PM (#10562146)
    Most of the bright windows admins on here are going to tell you to use permissions to lock down the workstations and take machine admin rights from the users. Now you have to sit back and ask yourself is that really going to help? Yes it is probably going to help but they are really luring themselves into a false sense of security. Now ask yourself how many of the windows admins that you know use IE? That right most if not all of them use IE. So now ask yourself what does that got to do with anything? Well if IE can execute code easily at user level privs then what happens when that stupid windows admin browses to a page containing malicious code? That's right the worm, virus, trojan has full admin privs.

    What do you do to avoid catching the flu? That's right you get a flu shot. So do yourself a favor and get a flu shot, install mozilla on the clients everyone will thank you for it anyhow.
  • by inhalent ( 88094 ) on Tuesday October 19, 2004 @01:00AM (#10562565) Homepage
    I manage an active directory domain and I've taken care of the major offenders through group policy.

    First, I attempt to download the spyware much like any user would. When I get the prompt asking me to approve this installation, I view the certificate that it was signed with and save the certicate to the file.

    Next, I add that certificate to the list of banned certicates domain wide. It works great and fixes the problem of people installing spyware without knowing it.
  • by Tuxedo Jack ( 648130 ) on Tuesday October 19, 2004 @01:10AM (#10562608) Homepage
    Install VNC over the network (or other comparable remote-control software; VNC is free and GPLed) and put HijackThis on a read-only network share.

    If the user reports problems, VNC into the machine, run HijackThis as root, and remove what you need to.

    Running as User or Power User will help, but it won't stop everything.

    Try adding the MVP Hosts list to the firewall's shit-site blocker.

    If you can, put SpywareBlaster into your image set for the machines you clone and force a once-a-year reclone with updates.

    There's also the simple idea of not letting your users use IE. Force them to use Firefox, Opera - anything but IE.
  • by Media_Scumbag ( 217725 ) on Tuesday October 19, 2004 @03:39AM (#10563032)
    Any time you have to deal with a technical issue that involves user interaction as a component of success, you will need to propose to management, a policy that bolsters the behavioral aspect of the solution; Users need to be made, by management, to have some degree of awareness and culpability for virus and spyware infections.

    "Frequent-fires" users will be compelled to learn some digital hygine.

    Most large and medium-sized businesses operating today have some sort of policy on sexual harassment/hostile workplace/conflict of interest/Internet and PC usage policy, etc. Generally, users understand that these policies are for eveyone's protection - With ~2000 PCs in the mix... This is definately where you should start... Policy Covers Your Ass.

    On the technical side:

    1. Router logs, intrusion detection, and sniffing as trending tools to show your boss what's up with traffic.

    2. Good, solid desktop images/ app pushes/ GPO's - harden the Registry, Security Policy, individual apps as necessary. Beyond that - when a machine is sufficiently infected, it should be replaced with a re-imaged one --- it can be faster than cleaning, and is a hell of a lot more complete. This also reinforces the notion of users not storing important things locally.

    3. Helpdesk tracking software - What users/machines/network segments are continually having the same problems? Does Human Resources need to be the next step for some people?

    4. Desktop management software - provide your boss with stats on just what kind of crap is showing up.

    5. If you must use/develop software that may enable or even contain spyware, you have a particularly tricky problem that concerns both company policy and IT best practices.

    Of course, you know your boss, I don't... How you implement these suggestions is different for everyone. To some, it may seem draconian, to others, quite lax.... To some, budgets will not allow the necessary attention - for others, this kind of focus could perhaps justify a budget increase.

    Oh... And consider the broswer's role in the business - what is an acceptable $$ loss for a preventable issue? Have you already spent that?

    My $.02

HELP!!!! I'm being held prisoner in /usr/games/lib!

Working...