How do you combat spyware/malware?

[mtktech]

I'm interested in seeing what others use to help curb all the malware they recieve. I currently admin 6 different networks, two of them have 30+ PC's. The others are much smaller. My two bigger networks I use a Sonicwall appliance and block all ActiveX, Java and cookies to every website. I then add safe websites as we need them. So far this has worked out really well, centralized control. I also have Spybot on all the workstations and I've run the "Immunization" in case something gets through. On my smaller networks I only run spybot at the moment. Its easier to concentrate on client education then it is to get them to spend $1500 for the Sonicwall appliance. I've also tinkered with some of the IE security settings but this usually causes problems since most my smaller clients are insurance companies that need access to complex web sites.

So how do you combat malware in the corporate enviornment?

 

[Xemus]

Ad-aware has a corporate version (they refer to it as professional) that provide centralized and automated control. I recommend it to businesses with repeated spyware problems.
The major antivirus companies are also finally targeting spyware/adware in their latest products, tho, from my experience, they still have a ways to go before they detect nearly as much stuff as either Ad-aware or Spybot. Worth it as a secondary precaution tho.

http://www.closedsocket.com

 

[mtktech]

I'm actually in the processing of testing Symantecs Web Security addition to thier Corporate production, Ver. 9.0. I hope it works out, since we already have a license for the AV server, desktop and exchange .. this is just iceing on the cake. But, Symantec rarely gets things done correctly the first time. :/

 

[bfralia]

My company uses McAfee virus protection. VirusScan Enterprise 7.1 is great for detecting and reporting spyware but not for removing it. At the moment, we run virus reports on an ePolicy Orchestrator Server that tells when a computer starts seeing major spyware. We then use a combination of Ad-Aware and Spybot Search and Destroy to clean up the spyware. Ad-aware cleaned 657 items from one computer. These are hopefully interim resolutions to the problem.

Somewhere near the end of July, VSE version 8.0i is about to come out. If it works as advertised, you can set it to prevent the entry of spyware on a computer or allow it to uninstall and delete existing spyware. It will be tested within an inch of it's life before full deployment. I'm looking forrward to the release because spyware is becoming a major problem.

We are a small but international company with six facilities in four countries - about 250 users not including servers.

 

[rosieb]

At the moment I'm taking the easy route, we've only had a couple of infestations so far, so we just flatten the PC and re-RIS it.

Rosie
"Never express yourself more clearly than you think" (Niels Bohr)

 

[AnalogAnomaly]

My company uses McAfee virus protection. VirusScan Enterprise 7.1

I feel sorry for you. McAffe us just plain crap in my book. It has a tendancy to do more to hurt the systems it's on then help them.

What I use.

At Work:
intrusion protection:
Crappy little router with a hardware firewall, router connects to the full 24 port switch, we have approx 25 nodes at any given time.

Virus protection:
F-Secure Anti-Virus and Internet Security (AV with a built-in software firewall)

Spyware protection:
Spybot Search and Destroy 1.3 and Adaware 6

end user protection:
no publicly accessible nodes, all nodes are hard-wired, idiot users can not so much as print, only use internet explorer and a server-side app.



At Home:
Intrusion Protection:
I have a honeypot/bitchbox at the front of my network connecting out, anything that goes through my network must go through this machine which i use to test operating systems, and perform full packet logging, system is of course configured as a multi-boot boxen currently running winblows xp home and redhat 8(changing soon). Behind that is a cisco 7000 router with all ports closed, one must console in and open the desired ports for outbound connections. currently this part of the network is just running RIP. From the router 5 machines are connected, including my file-server. though one of those five is an old 200mhz amd k6 that merely allows my frame relay network behind it to communicate with the rest of my network, the afore-mentioned frame-relay host connects to a catlyst 5505 switch (cisco of course) which acts soley as a frame relay switch. (we all know of course a frame relay switch cannot directly communicate with a RIP network unless there is a host between them. the frame-relay network has 13 nodes (excluding the afore-mentioned host that merely acts as a middle-man) which dual boot to a windows 2000 advanced server cluster and a linux slackware beowulf cluster. a pretty nice setup if i do say so myself.

Anti-Virus: F-Secure is really good, but at home I use Kapersky Labs, well.. Bit Defender now.. Bit defender is made by the programmers who made kapersky labs until new management took over and wanted to make changes they didn't like. I of course follow the programmers, not management.

Anti-Spyware: I run spybot search and destroy first then adaware second, current versions are spybot 1.3 and adaware 6

if i have any real problems my fileserver has acrived images of each and every one of my hosts, with the exception of the first one mentioned which sits outside of the protection my cisco 7000 offers. While as a honeypot it's not the best.. it certianly serves it's function of logging.

(best honeypot i've ever seen logged everything directly to a line-printer.. good luck deleting that.)

 

[verplexd]

Nobody has mentioned it yet, so I'll throw another suggestion into the ring. PestPatrol v5.0 Enterprise edition is a great solution for small to medium businesses. They have a dedicated team of full time researchers and provide updates much quicker that most of the other spyware/malware/parasite solutions. In the last 2 months they've provided new updates at least once a week.

The great thing about their new version, aside for scanning speed and decreased false positives, is that there is a centrally managed server from which you can install, scan, and review log entries for systems you're protecting.

You should definitely check it out.

http://www.pestpatrol.com

~A happy PestPatrol customer

 

[bfralia]

Quote from AnalogAnomaly:

I feel sorry for you. McAffe us just plain crap in my book. It has a tendancy to do more to hurt the systems it's on then help them.

I'm not sure what products you're referring to but version 7.1 has worked very well, has a small footprint and nothing much has gotten by. Occasionally we're one of the lucky few to get a virus before the AV companies discover it. So far users have asked before opening.

The ePO System is great when it works but seems to have more than it's share of problems.

I'd like to hear more about the damage it does to systems/

 

[WANguy2k]

You may want to check this thread:

http://www.tek-tips.com/viewthread.cfm?SQID=876196&SPID=760&page=1

 

[jbrackett]

bfralia,

I agree. I use McAfee 7.x in conjunction with ePO 3.x on a network managing about 500 PCs. Quite simply, it works great. ePO allows me to manage scheduling, CPU usage, types of files scanned, and just about anything else I would be concerned with. I would encourage anyone to take a look at the products.

"The Crystal Wind is the storm, and the storm is data, and the data is life. You have been slaves, denied the storm, denied the freedom of your data. That is now ended; the whirlwind is upon you . . . . . . Whether you like it or not."

"Trent the Uncatchable" in The Long Run by Daniel Keys Moran

 

[kjv1611]

You can try this, possibly, as well: faq760-5177
and look here: thread1117-809501

Stephen
"Jesus saith unto him, I am the way, the truth, and the life:
no man cometh unto the Father, but by me." John 14:6 KJV

 

[AlexIT]

I too suggest McAfee. We had some problems very early (about 1998) but the 7.x is much less resource-intensive compared to any other AV we've tried. Our network uses ASaP for the desktops/laptops and 7.x on everything, it works great.

I do not work for them, they just work for me...