Keeping spyware off users' computers

[MikeT]

I support almost a hundred pc's, and I've seen spyware problems so bad that formatting and reinstalling was the best solution. We have to use IE, so switching browsers isn't an option.

Recently, I started blocking all ActiveX at the firewall, and I install SpywareBlaster,IE SpyAds, and Spybot (with the Immunize feature) on every new pc that comes through my office.

This is pain, and in my opinion shouldn't be necessary. What preventative measures do guys take when it comes to spyware?

 

[nipester]

If you have XP then the system restore utility can come in handy. A clean image of the OS, dumped onto a second drive letter might help in a clean recovery. Most people use ghost for that.

I guess a lot depends on how those 100 users keep getting spyware. Is it through the web or email or instant messengers.

 

[MikeT]

I'm sure all of it is coming in from the web. Ghosting is not an option as all the pc's are different. The steps I've taken (oulined above) seem to be working well, its just a pain in the rump.

I guess what I need is a centrally managed spyware prevention/detection/removal system. I'm not even sure if that exists.

 

[Mich]

A step I've been considering is installing spybot on each machine and creating an autorun.bat to put into the startup folders. The batch file would simply be,

spybotsd.exe /autoupdate /autocheck /autofix /autoclose.

The only reason I haven't done this is because I haven't found a good (i.e. easy) way to install spybot on all of the clients.

-If it ain't broke, break it and make it better.

 

[shannanl]

I work at a hospital with about 75 computers. I also work on computers after hours and about 90% of the computers I work on are infected with adware/spyware/malware. It is crazy! I use Adware. I set it to run automatically everytime a user starts his/her computer. I use it at home also. I have had really good luck with it. I am also very aggressive in blocking sites that I know is going to try to download this junk. That is the first line of defense against it. I have ran into a couple of computers that were so infected that I had to format and reinstall OS. Generally I can get all the junk off. Run Adaware with updated definitions. Restart the computer with Adaware set to clean on startup and let it run that way. Shut the computer down and start in safe mode. Run the scan in safe mode (it will catch several things it would not in normal mode). Usually this little routine will clean all of it off. I also use Spybot some as a double check but I prefer Adaware. Its a never ending battle to keep this stuff off computers, but hang in there. Be aggressive on blocking the users from offending websites.

Shannan

 

[br0ck]

I have ran into the same problems and one of the best solutions i have seen (it's a little resource instinctive) is setting up Symantec Web Security proxy server

you need to take the time to train the software but is blocks every thing you need

if you have a MS AD network you can set a gpo to force the clients to use this and remove user access to change the settings as well as add exceptions to trusted sites

this centralizes all the management for web access

this spyware etc. battle needs to be addressed by the manufactures

cheers

 

[bofhrevenge2]

I work in a college with hundreds of clients and users that insist on trying to install crappy toolbars and other spy ware ridden freeware. After allot of testing I have found the best way to prevent spy ware from finding it's way onto PC's is to give them restricted user rights this removes write access to the Windows and Program Files directories. As this is where 90% of all spy ware tries to install to they fail, also Active X is prevented.
We switched to Symantec corp. edition 9 as this now included an enhanced scan facility that looks for spy ware as well, since I went with the restricted user solution Symantec hardly picks up anything where as before almost every PC’s had a red box against it.

I know it can cause a few issues but I found this to be the best way to prevent the problem.

Just my humble opinion.

Cheers.


I don't mean to sound bitter, cold, or cruel, but I am, so that's how it comes out - Bill Hicks

 

[Auger282]

we block the majority of spyware with our websense server... then again we are a business and dont allow "non work related" surfing

 

[jakatz]

I am probably too late to the party but I will put in my two cents anyhow.

I too support 100+ machines here. Short of blocking internet access to the entire building (although some are blocked), I am a firm believer in checking out the latest and greatest promises in abating spyware. Quite frankly, I am quite impressed with Microsoft's answer to spyware . . . that is Microsoft AntiSpyware. Althought it is still in beta (and truthfully they only bought a company and didn't necessarily build it from the ground up themselves . . . it is a damn good tool. And for free . . . . you can't beat the price. Give it a shot if you haven't already - it really seems to work well.

 

[bofhrevenge2]

Yep it seems pretty good unless your a rival ISP

http://www.theregister.co.uk/2005/02/22/microsoft_spyware_ilse/

If they release a policy controlled version for the enterprise it could be big.

I don't mean to sound bitter, cold, or cruel, but I am, so that's how it comes out - Bill Hicks

 

[bofhrevenge2]

jakatz to be honest i like your idea of blocking internet access for the entire building i'll put it to the board tomorrow. BOFH

I don't mean to sound bitter, cold, or cruel, but I am, so that's how it comes out - Bill Hicks

 

[Auger282]

microsoft announced that antispyware will be free but they will have a more manageable solution for corp. environments... so it may be worth the wait..

MY big beef with antispyware is that it doesnt BLOCK the spyware.. it only identifies that something is doing something somewhere.. and then it tells you to do a full scan.

Granted sometimes it may ask you to ignore or block a setting change but the fact is that it doesnt block the main spyware from executing and carrying out its dirty deeds..

THEY DO install and the only way to remove them is by after-the-fact doing a scan....


We still need a solution to BLOCK the spyware and cut it off before it even does anything and truly defend against it ever being installed in the first place...


At this point there is only one way to do that.. Proxy

People who have spyware on their computers Arent going places they should be... its as simple as that

... *shrug*


my2cents

 

[bofhrevenge2]

Thats true there does need do be a more active side to it as quite alot of spyware is actually installed by the user and infact if they read the EULA it will tell them (but who does that before adding an annoying toolbar to IE).

It's the same with Symantec corp 9 it will tell you when you do an advanced scan but otherwise you get no indication, this is annoying as surely the active scanning must of observed the whole thing. Even if it doesn't remove or prevent it installing it would be nice to be informed of it's pesence.

 

[jakatz]

Well Microsoft's Anti-Spyware is a whole lot better than the "free" SpyBot S&D or Ad-Aware - at least Anti-Spyware runs constantly active and monitor's what's going on. Not to mention that the spyware definitions are constantly updated automatically AND the "SpyNet AntiSpyware Community" helps to identify the crap quicker.

As long as you have "non-technical" and "non-computer savvy" users (and of course the dreaded teenage users), combnied with a live broadband connection, you will always have these spyware infections. It really is almost pointless to try to educate these users as far as how badly spyware can mess up a machine (especially since the "entry points" of these infections always seem to change). . . we as the "technical community" just have to take the pro-active steps necessary in order to avoid these infections which ultimately will save ourselves headaches and un-needed work.

OK . . . I will get off of my soap box now. Just don't forget that it's those users who think they understand it (but don't), that are the most dangerous.

 

[Mich]

A problem I've run into using MS's spyware tool is that it blocks a lot admin functions. For example, I use SMS and vbscript to administer my PCs. When I try to run a script or package on a client there is a pop up that asks the end user if they want to run the script/package/executable/whatever. Typically they say no and I don't blame them.

There may be a feature with the application that allows me to turn this off, but I haven't found it yet. Other than that I love the app. If they develop some sort of corporate version I think it will definitely be the way to go.

-If it ain't broke, break it and make it better.

 

[bofhrevenge2]

I think they are going to release a policy controlable version where options like this are configurable. There is only so far they will go with a free version i imagine. Still i've been using it for a couple of weeks now and i'm impressed so far.

 

[datadan]

This topic interests me. The Microsoft tool requirements are a bit much for my user base. Anyone running a proxy server on a Linux box and blocking the stuff via some sort of Database updates?

Thanks,

 

[philote]

We too must use IE because of certain web sites we need to use. What I had thought about doing is blocking all but those certain web sites with a GPO and forcing users to use another browser (Firefox most likely) for any personal browsing. I'm sure this will greatly reduce the amount of spyware installed. I'm also considering giving users restricted rights to their computers so they couldn't install any software.

And I'm curious about how well a 'hosts' file that blocks ad and spyware sites would work. I've seen several of these and they would be very easy to install on users' machines with a logon script.

 

[lkw441]

I am just a single user. I am using the MS AntiSpyWare on my system as well as SpyBot and AdAware. My problem seems to be that after the initial scan by MS ASW where there were a few files found there doesn't seem to be any more protection. ASW is continuously lurking in the background but whenever I run SpyBot there are still numerous files found and cleansed. Does anybody have any suggestions to where I don't have to keep fighting this %#$##$? Thanks for your help.

Larry

 

[bofhrevenge2]

Yep run your PC as an ordinary user instead of an administrator especially when using the internet. Using an alternative to IE like Firefox helps (though i suspect not for much longer). I've been doing this for a while now and the amount of spyware on my PC has plumeted to almost nothing.

"Sometimes, a cigar is just a cigar." - Sigmund Freud