From scratch, how to protect my users?

[joedoufu]

I recently got called to help a user with a simple problem, and while fixing it I was bombarded by pop-ups, spontaneously generated desktop links to porn sites, and mysterious CPU- and memory-hogging processes. I never saw a computer this bad. The user thought it was just the way things were, and didn't complain about it.

How can I protect this user and others from the incessant attacks? I've been running Spybot S+D because its the only one I know, but clearly it's not enough as things keep coming back, pop-ups are still popping, and i keep getting Spybot "resident alerts" telling me that bad stuff is being inserted into the registry. We are using Windows XP sp2 and have Symantec Antivirus running as our basic protection.

Ideally I'd like to know what free or cheap tools you're using out there, and/or how you configure your computers for today's crazy world.

 

[matthew3041]

Have you been updating your spybot?
You might have a look at spywareblaster.

 

[joedoufu]

Yeah, it's definitely got all the latest updates and immunizations. Something's in there that's not getting detected and wiped out.

 

[MichealC4]

Some popular tools:

Hijackthis
Spybot
Adaware
Spyware Blaster

Ways to protect:
Don't use IE. This isn't because we all hate MS, it is a fact of life. IE makes use of security-hole-ridden ActiveX and allows much of the spyware and adware to be installed when the user isn't looking. Also, Spybot has some wonderful tools that are turned off by default. Also, make use of the HOSTS file to deny access to known malicious sites. Or, make use of it on your DNS server.

http://pgl.yoyo.org/adservers/

Also, do you have an IPS (Intrusion Prevention System) on your boundary? How about content filtering?

----------------------------
"Security is like an onion" - Unknown

 

[crisc]

Simple, don't let your users have access to the internet.

On a serious note, I used to be able to rely on a combo of Adaware and Spybot S&D, but the latest generation of malware has able to circumvent these tools.

I've taken to learning how to interpret the logs HiJackThis creates. It's very thorough, showing you everything that's getting loaded, you just need to learn how to discriminate the results.

Failing that, I make sure I have up-to-date images of all the builds of our machinee. If it gets too hairy, nothing can survive a reghost.

 

[JPLWU]

Well some battles you just cant win without a clean reimage..but if you really are going to battle this one out, use spybot, keep running it, update it every week, NAV is good, but usually doenst do too much on spyware, I am thinking at the lowest level a personal firewall on every machine, Zone Alarm might do it, or even a copy of Norton Internet Security. Zone Alarm i am sure there is an eval lurking out there, on

http://www.download.com.

Also Sygate has a free personal use one here

http://smb.sygate.com/products/spf_standard.htm

Those should limit the amount of inbound/outbound traffic.

If you think you can, you might...if you know you can then you will.

A+

 

[JPLWU]

Following in the advice given by techiemichael, You may want to switch you users over to Mozilla, better security, and very user friendly.

If you think you can, you might...if you know you can then you will.

A+

 

[karmic]

Gonna toss in my 2 cents worth here... you're asking the wrong question joe. The question is "how do I protect my network from my users"?

You can do pretty much anything you want and spend absurd amounts of money on security and software but in the end, one idiot user can wreak havok.

If your systems are getting alot of spam and spyware, then your employees are surfing sites other than "business related". This can and will at some point have consequences. I've tried in the past to use the honor system but I realize now that it just doesn't work. Typical company users are of the mindset that anything goes with the internet and that's the hardest thing to change but it can be done.

The companies I deal with have started using "acceptable use policies" and are now enforcing them. They realize that the users are the weakest link in the security chain. I've started using ispy (fantastic code posted by another tek-tips user), without the users knowledge and if sites other than "acceptable business use", they are notified. It will scare them enuf to curb it. If it doesn't, get them out of there.

It works extremely well, good luck.

~ K.I.S.S - Don't make it any more complex than it has to be ~

 

[karmic]

BTW, i'm a consultant...

And before anyone jumps on me, many of my clients do not need spybot or ad-aware anymore. The employees stay off sites that are not business related, and this curbs spyware. They do not use their corporate email for anything other than business, so very little spam comes in...

And most of these clients do not want to spend alot of money on security, lots are running linksys instead of a higher end firewall.

~ K.I.S.S - Don't make it any more complex than it has to be ~

 

[JPLWU]

KARMIC~
joedofou never really mentioned that this is indeed business use. From my standpoint if a user at his home wants to actively browse the web, that is their option. The recommendations you made are great for business use, but when you try to talk a home client into restricting their computer from those sites, thats a way to lose business...With the techy world so saturated with computer repair shops, each customer is vital to business, especially if they are recommending you to others.

If you think you can, you might...if you know you can then you will.

A+

 

[torturedmind]

i suggest also that while in safe mode, you might want to clean both your system cache and internet cache as the process might be loading from there (i use the free edition of 123wash to do this.)

i'd also suggest you install a firewall if you don't have one as it will prevent unwanted processes to access the internet without your knowledge.

sure hope this helps. peace!


kilroy
philippines

"If the automobile had followed the same development cycle as the computer, a Rolls-Royce would today cost $100, get one million miles to the gallon, and explode once a year, killing everyone inside."

 

[Auger282]

I agree with karmic

get a good proxy server or filter software and block all the bad stuff. they shouldnt even be able to see it.

we use websense

http://www.websense.com

 

[JPLWU]

I think that is a good point to make IF IT IS A BUSINESS, he never specified that. You cant restrict home users the same way you restrict a business. Corporations can restrict users because they are providing the computers, the Internet connection, and software. Now if a user bought his own computer, his own ISP service and his own software, what right does anyone have to tell them what sites they can go to? Again that was a valid point if it is business use, but I was nder the impression that this was more of a free lance or computer repair shop.

If you think you can, you might...if you know you can then you will.

A+

 

[crisc]

JPLWU, I think joedoufu's use of the term "user" fairly well indicates he was referring to employees of a business.

I think "customer" is the term freelancer/repairshops use to describe those that they support.

 

[torturedmind]

i agree to all. in any case, it's also better if you could educate the users/clients (or however you call them) about spywares, adwares, virii, trojans, etc.

hope this helps. peace!

kilroy
philippines

"If the automobile had followed the same development cycle as the computer, a Rolls-Royce would today cost $100, get one million miles to the gallon, and explode once a year, killing everyone inside."