Sniffing out Spyware
Novell Cool Solutions: Trench
Digg This -
Updated: 31 May 2006
Question: Dwayne Watkins wrote: Recently the talk of spyware has increased lately. What I wonder is what other offices are doing about it. Currently I am running Spybot from a command line in Applauncher. I have found several ways to run it from there. It's set to run hidden in the background during the hours that most users are out to lunch and right before the users go home for the day. Applauncher keeps track of my distribution script as well as if it ran successfully which is beautiful, but as I stated earlier, I would LOVE to know what other companies are doing about it. Is it possible to submit this as a cool solutions question?...
Answer: OPEN CALL: Good idea, Dwayne. Let's see what everyone else is doing to sniff out (and snuff out) spyware. Fire when ready...
Note: For additional information, check out the new AppNote: Automating the Installation and Execution of Spybot Search & Destroy with ZENworks, by Bill Geschwind.
- Marcel de Roode
- John Carson
- Glenn Sullivan
- Olivier Van den Eede
- Greg Nash
- Matt Pierce
- Gareth Williams
- Dan Hill
- Terrance Turner
- Ryan Jordan
- David Swafford
- Sangita Patel
- Paul Bonjean
- Mark Baldwin
- Norm O'Neal
- Maurice C. Patton
- Frank Neill
- Joel Boyles
- Jason Emery
- Tony Pedretti
- Jim Norton
- Steve Shumski
- Paul Pritchett
- Darin Boudreau
- Darrell Milam
- Eric R Derby
- Ryan Firth
- David Phillips
- Perry Guidry
- Shandi Druet
- Billy Stokes
- Matt Merrell
- Stephen E. Goss
- Scott Russell
- Carl Beehler
- Stuart Jamison
- Gary Horneman
- Toby Fruth
- Tony Pisarek NEW
- Paul Caron NEW
- Eric Ho NEW
- Jules Kremer NEW
None of our users have administrator or power user rights on their Windows2000 desktops. All local users are created as "user" (restricted user). We have never had any complaint about spyware.
The only problem with spyware is with some "hot shots" who have requested (and been granted) admin rights from upper management, overruling the IT department.
Our policy is thus: when you are knowledgable enough to have admin rights (to install "test" software) you should be knowledgable enough to avoid spyware. Whenever they get hit with nasty spyware (and that is more often than they expected) the only solution *we* offer is fdisk and reimage.
All of our users are restricted users with little to no authorization of any type. We have been lucky thus far, but have come across a few new Java-based Spyware apps popping up. We currently have placed Webroot's Spysweeper on some people's machines that we believe to be more troublesome than others. We added Google's Toolbar/Pop-Up blocker to almost every workstation's IE Browser. RBL, Anti-Virus Firewall with Content Filtering, GWAVA all helping out together to limit and restrict any possibilities of spam programs.
On the browsers, most users' restrictions are set to High and absolutely no ActiveX is allowed to run at all. We are putting in place a newer AV Firewall that will check all malicious code of ActiveX so we can allow users to run more web-based apps. Also, in the Browser settings we disabled the option to allow the browser to install applications for itself and 3rd-party apps.
Lastly with ZENworks we are pushing some registry entries to force some entries to stay the same in case a user or rogue application decides to change things. This helps keep programs from spreading. Another hint someone else gave us was to reduce the size of the person's internet cache, and have it delete upon exiting the browser, helping reduce possibilies of programs putting files everywhere. The user's %TEMP% directory should be emptied out on a daily basis as well.
A lot of small things and fine tuning has kept us in the clear, except for that new java spam/virus that popped up a week ago. AV Firewall grabbed it for now, hopefully we won't have to restrict Java apps. And similar with Marcel, all users are notified that their machine at any time can be fdisk'd and reimaged in the event they try and bypass any of these measures we have put in place.
Well all of our users are administrators of their own PC's so we have a large problem with Spyware and Adware. Since we have about 6000 plus units, our fix has been to just install Adware remover and A2-Squared on the machines. We fix it the first time and then let the users fix it themselves from then on.
We have been looking into a global corporate system to handle this problem, something like Symantec Antivirus/Firewall but there doesn't seem to be a product that can be easily managed centrally to do the other functions needed by corps these days. Symantec does Virus, some Trojans and Firewall; it's good at being centrally managed but it really lacks when it comes to the rest of the security problems desktops face.
What we need is a centrally controlled corporate system that can do the following:
Firewall centrally controlled rules
Centrally report on breaches
Monitor detected IP intrusion attempts on units
Monitor detected IP scanning attempts on units
etc etc etc
Anyone want to write something?
The overworked GnomeSpywareBlaster/Spybot. I have used this on my own system with very impressive results. To refer to the previous post, it is not because one doesn't have any complaint about spyware, that the problem doesn't exist, the major idea being behind spyware is just that it goes on without the users knowledge or interaction...and off course depending on the system and connection the system might take more or less time to gradually slow down.
That said, we are certainly also looking into the Security & Privacy settings tab of Internet Explorer (and how we can push these out through ZENworks as a local machine policy), there you can play around with the cookies settings (cookies make up a large part of various spywares). You can put the slider to Medium High or High and then put your company's internetpage and intranetpage into the 'allow' websites section so it overrides the general security setting for your own websites and domain. Users can even do this themselves for individual websites they need to access frequently if needed.
Our office uses a mix of Windows 98, 2000, and XP. Unfortunately, locking down Windows 98 workstations isn't worth the trouble, since the OS is so insecure to begin with. We are using a wonderful freeware app called Spybot Search & Destroy.
It's freeware, and does the trick.
We push it out with ZENworks to elevate the application's privileges to the locked-down workstations. The users can run it at their leisure, and we can schedule it to run on a whim!
We use USB Pen Drives with Ad-Aware on each one. When we hear of a case of Spyware or our ZENworks Inventory reports show known spyware vendors in the list, we go out and scan those PC's, eliminating all the Spyware. At the same time, this gives us a chance to remove all the other no-no's they should have never downloaded and installed to cause these problems.
But, if there was a way to remotely scan the pc's with ZENworks, I'm all ears to learn how. Anyone?
Like others we use Spybot and Ad-Aware on an as-needed basis. Trend Micro's latest version of OfficeScan claims to scan for spyware and malware but I'm not convinced of its effectiveness (just installed it). Pest Patrol makes a corporate version that is centrally managed, that I hope to evaluate. It's not cheap but it could be worth the cost.
In reponse to Sullivan's post: Pest Patrol offers a centrally managed adware/spyware solution. It's a breeze to install in a Windows environment, but requires some tweaking if you're in a Novell shop and don't have any Active Directory servers. I've found that PestPatrol catches more malware (including trojans) than Spybot Search & Destroy and Ad-Aware. Although it sometimes produces false-positives with some items, like RealVNC.
The only drawback with PestPatrol is paying for it. I love my free malware solutions like anyone else, but don't like coming out of my pocket for it. With that being said, this one is worth the money. You can download a trial and run it legally for up to 90 days and try it for yourself.
I am in a easier spot, I suppose, in that the workstations at my job are not any one person's. It seems to me that users on the whole don't have any idea about ad/spy/trojan-ware. We just elected to install Mozilla Firefox .9 on the machines and it seems to have done the trick. This is, however, in an environment where most of the users don't know enough to install software. Anyway, this in and of itself seems to have curbed 99% of the crap people unwittingly pick up. The nice thing is that it's a better (IMHO) browser anyway.
At my organization we use Symantec Corporate Edition 9.0, which has spyware protection built in, but for our selected "elite" users, who think that they are excluded from all computer use policies, we install a nice program called Deep Freeze from a company called Faronics. It's a Canadian based software group, and what Deep Freeze does is, once installed on a machine, then that machine is, in effect, in a lockdown state. Any changes made to a "frozen" machine are completely erased upon reboot. Also the software is managed with an admin console that allows us to see what machines are on and which ones are frozen. It also has the ability to unfreeze itself at a specific time period (like at night for av updates), and it can also automatically reboot at a specified time or interval.
Overall it's a great program to use, and the best part is when a user installs something that they shouldn't, the Deep Freeze software sort of messes with them in that it will allow them to install it and use it during that session but as soon as the machine is rebooted all changes are gone and anything done to that including the addition of a virus or spyware is deleted along with any modifications it may have made.
An interesting product we have discovered is a service called AssetMetrix. It has the ability to transparently scan your PCs and report back any potential issues (spyware, browser hijackers, malware, auto-start viruses, etc.) We run it periodically, and use the reporting feature to identify PCs that have potential issues. This helps us address the problem (using various removal tools) but also identifies repeat offenders, and allows us to tighten up our IT processes to better avoid problems in the future. Very good complement to ZENworks.
We are a public high school with 1900 students/100 teachers and ~300 computers. Spyware has been the greatest nuisance we have faced. All students and teachers are "Power Users" since much of our software will not run properly as simple "Users", and even without "admin" rights the machines were constantly being infested with parasites. As updates have been made to IE, some of these buggers are no longer code-compatible and actually crash the browser, not just slow it down.
Since implementing Spybot, we have reduced re-imaging infested machines from several dozen per week to a handful per month.
The workstations all run Win-2K or Win-XP, and we have ZENworks for Desktops 4 on a Novell 6 network.
SpyBot is set to run in the Novell Scheduler at "Scheduler Start Up", with "System" rights.
Parameters are set within SpyBot for it to run automatically/silently to clean the PC as well as check for updates and "immunize" the system.
Every computer is left "ON" 24/7, and a nightly re-boot is programmed into the Novell Scheduler.
This not only clears any users who forgot to log out, but cleans the machines as well.
Works great, with only an occasional new critter getting through!
My experience with spyware started by cloning the MS office settings from my office machine. Unfortunately, that's one of the first places spyware looks to collect user data. Soon, I was receiving over 100 spams each day. My best advice is to create a local configuration user on your image machine, configure the machine with this user, then log into themachine as the administrator, and copy the config user's profile to "default user". This way, you can control the initial settings in hkey_current_user.
More stuff: download the spyware registry block list from http://www.spywareguide.com/blockfile.php
I make two application objects for my spybot distribution. The first one installs the application pre-configured to immunize the system, with a priority set to "idle" and set to download new signature files silently. The application availability is set to install only if the spybot application is missing. Instead of using "run once" which checks the c:\nalcache directory, this method reinstalls the application if a user or malware app deletes it.
The second application object is just a shortcut set to force run spybot when a user logs in. That's why the scan priority is set to "idle". Users can still use the computer while a scan is taking place. I use command line options to /autoimmunize, /autoupdate, /autocheck, /autofix, /taskbarhide. These settings keep the program completely hidden. You need to /autoimmunize the program when it runs because new immunization signatures aren't automatically included, you have to re-immunize when you download new sigs.
There's my dissertation on spyware, go get 'em tiger!
Again Bravo to Marcel: I wish we had the backup from upper-management. Some of the users are quite convincing when trying to over-ride the agency policy related to IT.
We also have a problem with users getting spyware. We use the following for removal:
It seems to me that there isn't just one program that can catch it all.
Here's a couple of things that we are doing.
- Use BorderManager to block known malicious websites
- Use Spybot Search and Destroy along with Spyware Blaster
- Symantec AntiVirus Corporate edition 9 is supposed to block malware (have been using it for a month now, I still can't confirm this)
- Dabbling with FireFox on certain workstations.
We have recently implemented desktop security enhancements using ZfD. We removed all users from the local administrator groups and use DLU and roaming profiles. Users are only added to the local "users" group on the Windows workstations. We also use Group Policies to further enhance the systems security settings. Since implementing those policies we have not seen an alarm raised on our perimeter from the locked-down machines. I think it is the only effective method by which you can eliminate spyware.
We are also looking at some http filtering technology on our perimeter to scan traffic looking for known spyware. The new release of Trend Micro'sOfficeScan has some anti-spyware features be we have not tested it yet as the product just came out the first week in July 2004.
We have eliminated most of the exceptions to the rule, even when it comes to SVP's and such, by working with top management and getting them on board by really making them understand the consequences and ramifications of not persuing a policy like this even on special machines. For those few machines in the IT Department that need to be a little more free we are careful with them and use Ad-Aware. Using alternative browsers like Mozilla Firefox also helps.
Aside from installing "freeware", using Microsoft's Internet Explorer lately to the browse the web has been one of the most common ways spyware and the like spread. To combat, I've taken a more proactive approach using Internet Explorer's privacy and security settings along with software available on the internet to populate its block functions. Since these settings are effectively registry keys and values in Windows, you can also export them to standard reg files and deploy them via a login script using "regedit.exe /s" or import them into a ZENworks application object and roll them out that way.
NOTE: Prior to SP3 for ZENworks for Desktops 3.2, in order to import the registry keys and values to block cookies from various domains you have to convert the registry export file to an AXT to get them into an application object. Otherwise the ZfD plugins for ConsoleOne will not understand the non-standard default DWORD values that these settings are.
- SpyBot Search & Destroy (Immunize button blocks some known ActiveX controls)
- SpywareBlaster (blocks some known ActiveX controls, cookies and domains)
- SpySites Plus (large list of known domains to block)
Microsoft documents these "immunity" functions scattered throughout its knowledgebase. Here are some of them...
- How to Stop an ActiveX Control from Running in Internet Explorer
- Description of Internet Explorer Security Zones Registry Entries
- How to Manage Cookies in Internet Explorer 6
- How to Restore Default Settings After Importing Custom Privacy Preferences
- How to strengthen the security settings for the Local Machine zone in Internet Explorer
On the clean-up front one of the authors from Network World recently discussed the Cool Web Search nuisance [Editor's Note: Despite the cool name, this bad boy has NOTHING to do with Cool Solutions!] and a couple of utilities to help get rid of it. See Not-so-Cool Web app
The Sysinternals web site provides quite a few free utilities to help troubleshoot and isolate tasks and processes running. Take look at Process Explorer, Filemon, Regmon, Autoruns, TCPView, and LoadOrder.
There are some extremely helpful programs which are available (some free, some not) which can be used to prevent or remove spyware.
Here are some programs which can provide more preventative measures:
I recommend to everyone I know that they ditch Internet Explorer in favor of Mozilla / Firefox. There are too many unpatched security holes and too many malware writers who target IE and Windows in general. In cases where Internet Explorer is required, however, IE-Spyad can provide a measure of protection. It is simply a registry file containing a list of restricted sites which malware authors use to 'phone home' or send information. The list of sites is very large and is updated on a regular basis. Pushing down these registry entries via ZENworks is a great idea.
- SpywareGuard / SpyWareBlaster
SpywareGuard, as far as I can tell, is unrestricted Freeware and is a real-time scanning engine for malware. This program sits in memory and looks for any malware which may try to hijack your system. SpywareBlaster is free for personal and educational use only and is similar to Spybot's immunize feature where it blocks spyware from taking root.
- Spybot S&D
The only reliable, completely free for personal use, spyware scanner is Spybot Search and Destroy. Some others include spyware themselves or are ad supported. If your company intends to spend money on a solution, Ad Aware is the other reliable choice. In either case, both should be used for maximum protection as one will catch what the other doesn't (Ad Aware's spyware database is more comprehensive, however) Spybot's immunize feature is similar to Spyware Blaster. Spybot, however, is completely free.
There are other, more advanced tactics for dealing with software such as using HijackThis and scanning the logs to get rid of hard-to-detect browser hijackers and other malware, but this is a good start for novices and experts alike.
If you are planning to deploy or use what claims to be an anti-spyware tool not on this list, check the latter link first. Some spyware removal tools contain spyware themselves!
We are currently using several tools to rid our system of spyware/adware etc. We are a 1,100 student school district with over 500 machines. We run Spybot search and destroy, Bazooka, Spywareblaster, X-Cleaner, aaw6, and the google toolbar. The combination has allowed us to become progressive in other areas instead of chasing problems.
We also have had problems with spyware -- it has been some kind of relief to see that we were not alone. To reduce the amount of spyware we have used the blocklist available from spywareguide. We are looking at the use of spybot as well. I have found the postings from this Cool Solutions article a great help.
I see a lot of the suggestions call for the use of Ad-Aware and they claim that it is free. Yes, it is free for personal use, but if you are using it in your commercial/government/education environment, the license agreement says you need to purchase licenses to use it in that environment. Granted, I love using Ad-Aware too, but the licensing for these different programs get kind of sticky.
I don't think that using a program like spybot or Ad-Aware is the right solution. You are fixing, not preventing, a problem. Prevention is the best solution. A firewall at the workstation level that is manageable from a central location would be the best, now where do we find that?
Has anyone tried BorderManager and "Novell Client Firewall"? I don't think it is manageable from a central location unless you use ZENworks to push out the ini configuration files, which is not an ideal way, but some people are doing it.
Being in an Academic institution everyone must be able to do whatever they want, and a lot of the programs that we use require users to have admin privileges. The newest version of Webroot's Spy Sweeper Enterprise seems to be promising. It has a centralized console, real-time prevention and does not require the nasty things like Windows file and print sharing or AD. It works like Symantec in the fact that it registers the client with the server, and for those with ZfD 4 and 6.5 it is an MSI install. They just released their latest version that is supposed to have a lot more functionality to it, and seems pretty good. It might be something to look at.
Spyware in our district usually comes from two places: Faculty that doesn't know what to do when an activeX popup appears; and students who purposely download and install anything they can. Ideally, we don't want our desktops to be infected with spyware in the first place, so that is where we've concentrated our efforts. We pushed two policies down in one of our high schools that have worked better than I ever expected.
1) Prevent anyone from downloading ActiveX Controls.
2) Prevent students from downloading anything.
Notice we're not actually blocking ActiveX, since many legitimate applications rely on it. ActiveX applications already installed on machines will run just fine. Preventing the download of new ActiveX Controls keeps the popup auto-installers in check.
In Internet Explorer, click on Tools - Internet Options - Security tab - Select the Internet Zone - Custom level.
Here you can set the two policies mentioned above.
Click disable on "Download signed ActiveX Controls", and for students, under "File Downloads", click disable.
We've pushed these items through group policies, but they can be pushed through registry keys as well.
"1001" DWORD - For preventing installation of ActiveX controls, set the value to 3. (The default value is 1)
"1803" REG_DWORD - For preventing file downloads, set the value to 3. (The default value is 0)
We curently use Symantec corporate edition Anti-virus v9.0. I have talked to their support reps recently and they claim that next version has things built into it that are going to be capable of blocking spyware in the near future.
I am a small time CNE with about 15 small sites and have very little trouble with this when I setup a PC as follows.On a clean Machine start with Spybot 14 and or MSSpyware on the PC, also use the host file on all PC's from here (MVPS HOSTS file is a free download).
This can be updated in the login script about every 1 or 2 months.
This along with the best and easiest firewall in the world :) SonicWALL TZ170 to the 3060 (these machines do it all) with all gateway intrusion prevention, spyware detection and content filtering on. (They call me the soup Nazi). Keeps even the users who MUST have admin rights to their machines SAFE. 500 PCs for the last 1.5 years and only 2-3 reinstalls (laptops). These NetWare 6.5 sites cannot afford ZENworks or a full time IT department, Just me. And it works fine.
Keep on Keep'n on.
A note to all: Spybot Search & Destroy is NOT freeware when used in a corporate, business, or government environment. There is a version that can be purchased for corporate use, but according to the Spybot S&D license agreement, the freeware version is for personal user only and cannot be used by corporations. Just wanted to give everyone a heads up. We wanted to use it here in our agency, but were denied use because of our corporate status, and decided we didn't want to pay for the corporate license.
We have about 240 workstations, all running Windows 2000. Most employees have Power User access, but some have been granted Administrator rights, as they have laptops with swappable ROM/Floppy drives, or use handhelds, etc. On the server side, we have a Smelt proxy, and are running Squid and Websense, which works well for stopping spyware (and other intrusions) before it even reaches the workstation. Since the bulk of our users would have difficulty managing AntiSpyware software on their own systems, we pushed out Microsoft's Antispyware through ZENworks to all workstations. Realizing that MA is not as thorough as some of the other free AntiSypware software, MA did allow us to easily schedule scans to take place on each workstation daily. The only real issue we have found with this is that MA does not let you specify any default actions when it finds spyware; which means MA acts how it sees fit, which is often to ignore certain spyware (like Claria), instead of quarantining or removing. However, it does display a message, and the user will then call IT and we can go in and tell MA what to do.
One thing we do that works well is to keep an "Illegal Software" log (this is done for audit purposes as well as a deterrant). If we discover spyware or any unapproved software (usually from a user reporting their computer 'running slow', through alerts from the server-side protection, or looking up inventory in Patchlink), we will visit the user to remove it. While we are right there, we enter everything into the log book, and explain that we have to document all 'illegal' software that we find on workstations for audit (which is true). We are careful to do this in a such a way that the user does not feel like we are angry at them (because we know how much spyware can come in without a user's knowledge), but also making sure they know that this type of thing is being recorded, which will hopefully be more cautious, and/or stop inappropriate browsing/installing. Since we have installed the server tools, MA on the workstations, and begun using the log, our incidents of spyware or inappropriate software has dropped dramatically - from several instances per week, to maybe one per month.
I work for a Public Health Department where spyware is a definite no go (we don't want any HIPAA related information being stolen by spyware). After using Spybot, Microsoft Windows Defender, AdAware, and McAfee Anti-Spyware plugin for VirusScan 8.0i to try and keep the nasties out, I found the total solution for my organization.
A BlueCoat ProxySG appliance from BlueCoat Systems Inc. at www.bluecoat.com It is an amazing proxy appliance that can be utilized by Proxy settings in your web browser or WCCP through your routers. Using their daily updated Web Filtering list, I have had zero spyware / malware / adware infections for the last year. Before we purchased the BlueCoat Proxy SG we were spending a total of 40 hours a week between 3 staff members reinstalling computers that had spyware on them that none of the previously listed anti-spyware programs could protect against or remove.
The most awesome feature of the appliance is its ability to connect to LDAP servers (eDirectory) and utilize username / password from your tree to authenticate and track internet usage. You can even limit down to the user or group in eDirectory when it comes to where they can go online. I love it! It even does bandwidth compression from the webserver to the appliance and from the appliance to the client PC, has instant messenger control, etc.
The whole setup with a BlueCoat ProxySG 400-1 appliance, SSL adapter (for control of SSL websites) and the web filter product from BlueCoat set me back about $6,000 on State contract. It has been worth EVERY penny!
I am admin in a K-12 environment. Your spyware software or appliance is only as good as your definitions are. There are many new ones that could get inside a network before the definitions gets updated with the ones that the vendors produce. There are two products made by Faronics that I would highly recommend to any Corporate, Government, Healthcare or Education environment. ANTI-Executable and DeepFreeze.
I have used both and can push them out by using ZENworks. Any public or lab environment computer, I would highly recommend DeepFreeze software. Any workstation that might have access to highly secure information or a computer that would take considerable amount time to reload do to internet spyware or installed freeware spyware programs, I would recommend Anti-Executable software.
The #1 thing we did to minimize spyware was to filter spyware-related websites. We use Websense Enterprise content filtering software with the Security PG option. This eliminated over 90% of our spyware problems.
I've used three methods to pretty much eliminate spyware from the 200+ machines on my network:
ZENworks Rogue app management:
If you set it to allow only apps that you've specifically listed in the registry, spyware won't ever have a chance to run. See my previous article for more details on this. It takes a while to set up, but it kills 95% of the stuff out there.
NOTE: Rogue application management is pretty much useless against spyware unless you set it to block ALL applications that don't have an exception in the registry. Spyware writers usually randomize their filenames.
A great proactive spyware program. Just make sure that you're able to update your images or go ahead and buy the paid version with update services.
Registry permissions (XP/2000 only):
Create a group on your local workstations called "spyware" or something that you can remember. Go into regedit and select any key or value that might allow something to run at startup. Give the "spyware" group read-only rights to that key or value.
Registry values should always contain the "RUN" keys in HKLM and the explorer toolbar and Browser Helper Object keys. This will also prevent toolbars and other browser customizations from getting added.
Some important ones:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions
- HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Explorer Bars
NOTE: The last two should set up the HKLU defaults so that new users can't add startup items to their own profile. If you already have a lot of roaming profiles out there it won't do you much good. Because of this, I haven't really tested it too much. Use at your own risk.
Use this same group to restrict adding any files or folders at the root of the "Program Files" directory (but not subdirectories, of course).
Some important locations:
- C:\Documents and Settings\All Users\Start Menu\Programs\Startup [no write or modify]
- C:\Program Files [Protect the root of the folder only or bad things will happen. No create rights]
- C:\WINDOWS\SYSTEM32 [users shouldn't be able to create anything here, although this could gum up the works in some cases. Be careful]
Then, in your ZENworks DLU policy, create a local workstation group with the same name and add any at-risk users to it. The restrictions should then translate to any DLU users that have the policy associated to them.
This solution is probably only feasible if your machines are all reimaged centrally, since the configuration process is pretty involved. I've had limited success with utilities such as regperm that can assign rights on the command line, but there's an "out of order" error that comes up with XP. Newer versions may work a little better. Let me know if you have luck with regperm or any similar app.
Remember that there are lots of programs out there that might be offended at such limitations - this configuration is primarily used on student workstations that have extremely rigid usage profiles. Thorough testing needs to be done before a configuration such as this can be free ranging with all your apps.
The good news is that, in case of an emergency, these restrictions can be switched on and off using the groups in the DLU policy.
If you have any questions you may contact Carl at firstname.lastname@example.org
We use a combination of things:
- CA - Pest Patrol
- Websense with the Spyware/Malicious Website Premium group
- Symantec 9.0
ZENworks manages the updates with the Pest Patrol by running the bat file to check the CA server for its updates. The bat file does the rest. To turn it off, we also use ZENworks to make the registry changes to the system so that it doesn't run when the computer is cycled.
For the ultimate free protection - Peer Guardian 2 from Phoenix Labs, with Auto update and hidden so the user doesn't see it. Easy to install and manage. We don't use it here, but I use it out when I'm contracting on those VIP machines that get infected easily.
Regarding needing to be an administrator or power user to run software. My experience is that most software that won't normally run as a limited user will run if you give write permissions to the associated program files subdirectory. That is, if your program, supercool, won't run as a limited user, adding write permissions for all users to c:\program files\supercool will usually fix the problem. Usually, there is some file that the program updates as it starts. I only add these permissions as needed (i.e., I don't allow all users to have write access to c:\program files). Often, it is only one file or just a certain subdirectory but I usually don't take the time to figure out which file/subdirectory. I just add the permission at the top of the program's directory under program files.
Occasionally, the problem is due to trying to update the registry. The solution is the same - add write permissions to the appropriate registry key. However, I've always needed help from a product's technical support to figure out which keys had to have their permission changed.
I would also endorse the combination of Ad-Aware, Spyware Blaster, Spybot Search & Destroy, and wherever possible, Firefox. This is for Windows PC's. I do not have any of these installed on my PC, because it runs Linux - Fedora Core 5 at home and SUSE 10 at work. I have not knowingly, in the last eight years, encountered any type of trojan, virus, malware, spyware, scumware, or adware on my Linux-based systems. Perhaps you folks in the educational sector will have a real shot at Linux desktops when the next NLD/SUSE comes out with integrated Novell login in the desktop manager login screen. Add ZENworks 7 Linux Management to that, along with Firefox and OpenOffice.org, and most school systems will have the core essentials.
We used to have a serious Issue with Spyware getting to the desktops. We tried Ad-Aware, SpyBot, etc..
We deployed Novell Security Manager as our Firewall, Proxy solution and it has done a fabulous job of filtering the spyware out BEFORE it gets to those desktops. We still scan the Desktops as part of our Preventive Maintenance plan, but the instances of Spyware on our desktops has dropped to the point of being not worthy of a mention.
We still have a few notebook users here that while away from the office they are vulnerable to SpyWare, for those we are using Ad-Aware.Shandi Druet's concerns about most of the freeware referred to - they do have different licensing policies towards corporations. Please adhere to them - you don't have a legal right to be using their free software if their license agreement requires you to purchase software, regardless of how infected your PCs are. I've written software (two years worth) that was taken from me - you don't know how angry that makes me still. Please respect these professionals who publish the software.
Off my soapbox.
There are a bunch of great tools listed in the article, but few of them focus on the real source of the problem - prevention. Cleanup always stinks and is never-ending. We have a number of defenses in place to prevent spyware:
- At the browser - we prevent people from going to websites that are known to have spyware installs on them by using a product called SurfControl. It can monitor and prevent access to sites that you prefer your staff not visit, whether pornographic, gambling or spyware. As with any product that depends on it database to be up-to-date, it won't catch everything.
- In email - we have an anti-SPAM server that scours our email, looking for so much nasty stuff, I wonder how it still manages to get email so quickly to us. The product is called ModusGate, put out by Vircom. This product is industrial strength and has the best tech support I've come across in years. In addition, their upgrades are practically flawless. We have an antivirus product within this SPAM server called Norman, that looks for virus-infected email at the same time it processes the email for SPAM. Downstream of our SPAM server, we have a different antivirus server, running McAfee's WebShield product. Though it is an older product, it adds an extra layer of protection from computer viruses.
- On our desktops - we had so many issues with users "personalizing" their PCs and it was consuming so much of our resources in troubleshooting and reimaging that we implemented locked-down PCs using ZENworks for our clinical workstations. At first there was some grumbling, but within a few months, the payoff was huge. No longer are our clinical workstations getting polluted with useless tool bars, bogus screen savers or GAIN junk. We spend very little time troubleshooting or reimaging the locked down PCs. We're looking to potentially push the policy of lockdowns to other places as well. McAfee 8.0i has a feature to scan for SPYWARE and ADWARE that is currently enabled on our workstations as well.
- Finally, we implemented a product called CounterSpy on our workstations. It is centrally managed and works well for our needs.
The best solution is get everyone involved: management, technical staff, and users.
Management should have a strict computer policy in place and enforce it. For example, users shouldn't exchange their files by using their flash drive(usb). And all workstations much have some kind of client (like Symantec) installed.
The internet access gateway in the corporate network should implement some kind of features to filter out Spyware. And the gateway must be monitored. Technical staff should also have procedures created which they follow in response to Spyware found in a workstation. (How to dump a new image, then how to restore user's data.)
Users should be educated. They should aware of Spyware when surfing the internet. They should be told to contact the IT department if something looks suspicious to them.
In response to Matt Pierce's comment:
I assume it would be possible to (mis)use IdentityManager3 to trigger an automated workflow event if it finds a predefined alert wich was obtained through ZENworks Asset Management/inventory management. If detected, auto provision workstation with forced run anti-spyware software. If spyware is detected after software has been run, request imaging for that workstation, through IM3 workflow. Would be nice if it was approved first by HelpDesk....
I've not tested this, but it will be the third programming action I'll do after implementing IDM3 in our company....