Question: Dwayne Watkins wrote: Recently the talk of spyware has increased lately. What I wonder is what other offices are doing about it. Currently I am running Spybot from a command line in Applauncher. I have found several ways to run it from there. It’s set to run hidden in the background during the hours that most users are out to lunch and right before the users go home for the day. Applauncher keeps track of my distribution script as well as if it ran successfully which is beautiful, but as I stated earlier, I would LOVE to know what other companies are doing about it. Is it possible to submit this as a cool solutions question?…
Answer: OPEN CALL: Good idea, Dwayne. Let’s see what everyone else is doing to sniff out (and snuff out) spyware. Fire when ready…
Note: For additional information, check out the new AppNote: Automating the Installation and Execution of Spybot Search & Destroy with ZENworks, by Bill Geschwind.
- Marcel de Roode
- John Carson
- Glenn Sullivan
- Olivier Van den Eede
- Greg Nash
- Matt Pierce
- Gareth Williams
- Dan Hill
- Terrance Turner
- Ryan Jordan
- David Swafford
- Sangita Patel
- Paul Bonjean
- Mark Baldwin
- Norm O’Neal
- Maurice C. Patton
- Frank Neill
- Joel Boyles
- Jason Emery
- Tony Pedretti
- Jim Norton
- Steve Shumski
- Paul Pritchett
- Darin Boudreau
- Darrell Milam
- Eric R Derby
- Ryan Firth
- David Phillips
- Perry Guidry
- Shandi Druet
- Billy Stokes
- Matt Merrell
- Stephen E. Goss
- Scott Russell
- Carl Beehler
- Stuart Jamison
- Gary Horneman
- Toby Fruth
- Tony Pisarek NEW
- Paul Caron NEW
- Eric Ho NEW
- Jules Kremer NEW
None of our users have administrator or power user rights on their
Windows2000 desktops. All local users are created as “user” (restricted
user). We have never had any complaint about spyware.
The only problem with spyware is with some “hot shots” who have
requested (and been granted) admin rights from upper management,
overruling the IT department.
Our policy is thus: when you are
knowledgable enough to have admin rights (to install “test” software)
you should be knowledgable enough to avoid spyware. Whenever they get
hit with nasty spyware (and that is more often than they expected) the
only solution *we* offer is fdisk and reimage.
All of our users are restricted users with little to no authorization
of any type. We have been lucky thus far, but have come across a few new
Java-based Spyware apps popping up. We currently have placed Webroot’s
Spysweeper on some people’s machines that we believe to be more
troublesome than others. We added Google’s Toolbar/Pop-Up blocker to almost every workstation’s IE Browser. RBL, Anti-Virus Firewall with Content
Filtering, GWAVA all helping out together to limit and restrict any
possibilities of spam programs.
On the browsers, most users’ restrictions are set to High and absolutely no ActiveX is allowed to run at
all. We are putting in place a newer AV Firewall that will check all malicious code of ActiveX so we can allow users to run more web-based apps. Also, in the Browser settings we disabled the option to allow the browser to install applications for itself and 3rd-party apps.
Lastly with ZENworks we are pushing some registry entries to force some
entries to stay the same in case a user or rogue application decides to
change things. This helps keep programs from spreading. Another hint someone
else gave us was to reduce the size of the person’s internet cache, and
have it delete upon exiting the browser, helping reduce possibilies of
programs putting files everywhere. The user’s %TEMP% directory should be
emptied out on a daily basis as well.
A lot of small things and fine tuning has kept us in the clear, except
for that new java spam/virus that popped up a week ago. AV Firewall
grabbed it for now, hopefully we won’t have to restrict Java apps. And
similar with Marcel, all users are notified that their machine at any
time can be fdisk’d and reimaged in the event they try and bypass any of
these measures we have put in place.
Well all of our users are administrators of their own PC’s so we have a
large problem with Spyware and Adware. Since we have about 6000 plus units,
our fix has been to just install Adware remover
on the machines. We fix it the first time and then let the users fix it themselves from then on.
We have been looking into a global corporate system to handle this problem,
something like Symantec Antivirus/Firewall but there doesn’t seem to be a product that can be easily managed centrally to do the other functions
needed by corps these days. Symantec does Virus, some Trojans and Firewall;
it’s good at being centrally managed but it really lacks when it comes to the
rest of the security problems desktops face.
What we need is a centrally controlled corporate system that can do the following:
Firewall centrally controlled rules
Centrally report on breaches
Monitor detected IP intrusion attempts on units
Monitor detected IP scanning attempts on units
etc etc etc
Anyone want to write something?
The overworked Gnome
We are also looking into the combination SpywareBlaster/Spybot. I have used this on my own system with very impressive results. To refer to the previous post, it is not because one doesn’t have any complaint about spyware, that the problem doesn’t exist, the major idea being behind spyware is just that it goes on without the users knowledge or interaction…and off course depending on the system and connection the system might take more or less time to gradually slow down.
That said, we are certainly also looking into the Security & Privacy settings tab of Internet Explorer (and how we can push these out through ZENworks as a local machine policy), there you can play around with the cookies settings (cookies make up a large part of various spywares). You can put the slider to Medium High or High and then put your company’s internetpage and intranetpage into the ‘allow’ websites section so it overrides the general security setting for your own websites and domain. Users can even do this themselves for individual websites they need to access frequently if needed.
Our office uses a mix of Windows 98, 2000, and XP.
Unfortunately, locking down Windows 98 workstations isn’t worth the trouble, since the OS is so insecure to begin with. We are using a wonderful freeware app called Spybot Search & Destroy.
It’s freeware, and does the trick.
We push it out with ZENworks to elevate the application’s privileges to the locked-down workstations. The users can run it at their leisure, and we can schedule it to run on a whim!
We use USB Pen Drives with Ad-Aware on each one. When we hear of a case
of Spyware or our ZENworks Inventory reports show known spyware vendors
in the list, we go out and scan those PC’s, eliminating all the Spyware.
At the same time, this gives us a chance to remove all the other no-no’s
they should have never downloaded and installed to cause these problems.
But, if there was a way to remotely scan the pc’s with ZENworks, I’m all
ears to learn how. Anyone?
I can heartily recommend JavaCoolSoftware’s SpywareBlaster. This is easily
distributed every so often as a slew of registry settings (so what is the
correct collective noun for registry settings – a blue screen? a kill? a
mangle?) that immediately kill known spyware based on GUID (I think). They
although this does lead to questions like “So why does bigjugs.com get a
listing in your computer’s registry, sir?”
Like others we use Spybot and Ad-Aware on an as-needed basis. Trend Micro’s latest version of OfficeScan claims to scan for spyware and malware but I’m
not convinced of its effectiveness (just installed it). Pest Patrol makes
a corporate version that is centrally managed, that I hope to evaluate.
It’s not cheap but it could be worth the cost.
In reponse to Sullivan’s post: Pest Patrol offers a centrally managed
adware/spyware solution. It’s a breeze to install in a Windows
environment, but requires some tweaking if you’re in a Novell shop and
don’t have any Active Directory servers. I’ve found that PestPatrol
catches more malware (including trojans) than Spybot Search & Destroy
and Ad-Aware. Although it sometimes produces false-positives with some
items, like RealVNC.
The only drawback with PestPatrol is paying for it.
I love my free malware solutions like anyone else, but don’t like coming
out of my pocket for it. With that being said, this one is worth the
money. You can download a trial and run it legally for up to 90 days and
try it for yourself.
I am in a easier spot, I suppose, in that the workstations at my job are not any one person’s. It seems to me that users on the whole don’t have any idea about ad/spy/trojan-ware. We just elected to install Mozilla Firefox .9 on the machines and it seems to have done the trick. This is, however, in an environment where most of the users don’t know enough to install software. Anyway, this in and of itself seems to have curbed 99% of the crap people unwittingly pick up. The nice thing is that it’s a better (IMHO) browser anyway.
At my organization we use Symantec Corporate Edition 9.0, which has spyware protection built in, but for our selected “elite” users, who think that they are excluded from all computer use policies, we install a nice program called Deep Freeze from a company called Faronics. It’s a Canadian based software group, and what Deep Freeze does is, once installed on a machine, then that machine is, in effect, in a lockdown state. Any changes made to a “frozen” machine are completely erased upon reboot. Also the software is managed with an admin console that allows us to see what machines are on and which ones are frozen. It also has the ability to unfreeze itself at a specific time period (like at night for av updates), and it can also automatically reboot at a specified time or interval.
Overall it’s a great program to use, and the best part is when a user installs something that they shouldn’t, the Deep Freeze software sort of messes with them in that it will allow them to install it and use it during that session but as soon as the machine is rebooted all changes are gone and anything done to that including the addition of a virus or spyware is deleted along with any modifications it may have made.
An interesting product we have discovered is a service called AssetMetrix. It has the ability to transparently scan your PCs and report back any potential issues (spyware, browser hijackers, malware, auto-start viruses, etc.) We run it periodically, and use the reporting feature to identify PCs that have potential issues. This helps us address the problem (using various removal tools) but also identifies repeat offenders, and allows us to tighten up our IT processes to better avoid problems in the future. Very good complement to ZENworks.
We are a public high school with 1900 students/100 teachers and ~300
computers. Spyware has been the greatest nuisance we have faced. All
students and teachers are “Power Users” since much of our software will
not run properly as simple “Users”, and even without “admin” rights the
machines were constantly being infested with parasites. As updates have
been made to IE, some of these buggers are no longer code-compatible and
actually crash the browser, not just slow it down.
Since implementing Spybot, we have reduced re-imaging infested machines
from several dozen per week to a handful per month.
The workstations all run Win-2K or Win-XP, and we have ZENworks for Desktops 4 on a
Novell 6 network.
SpyBot is set to run in the Novell Scheduler at “Scheduler Start Up”,
with “System” rights.
Parameters are set within SpyBot for it to run automatically/silently
to clean the PC as
well as check for updates and “immunize” the system.
Every computer is left “ON” 24/7, and a nightly re-boot is programmed
into the Novell Scheduler.
This not only clears any users who forgot to log out, but cleans the
machines as well.
Works great, with only an occasional new critter getting through!
I’m the admin for three middle schools and a high school. A lot of gaming
and teen websites are hosted by spyware and adware. We’ve tried adaware,
spybot, spywareblaster, and a half dozen other products to get a handle on
My experience with spyware started by cloning the MS office
settings from my office machine. Unfortunately, that’s one of the first
places spyware looks to collect user data. Soon, I was receiving over 100
spams each day. My best advice is to create a local configuration user on
your image machine, configure the machine with this user, then log into
themachine as the administrator, and copy the config user’s profile to
“default user”. This way, you can control the initial settings in
More stuff: download the spyware registry block list from
I make two application objects for my spybot distribution. The first one
installs the application pre-configured to immunize the system, with a
priority set to “idle” and set to download new signature files silently.
The application availability is set to install only if the spybot application
is missing. Instead of using “run once” which checks the c:\nalcache
directory, this method reinstalls the application if a user or malware
app deletes it.
The second application object is just a shortcut set to
force run spybot when a user logs in. That’s why the scan priority is set
to “idle”. Users can still use the computer while a scan is taking place. I
use command line options to /autoimmunize, /autoupdate, /autocheck,
/autofix, /taskbarhide. These settings keep the program completely hidden.
You need to /autoimmunize the program when it runs because new immunization
signatures aren’t automatically included, you have to re-immunize when you
download new sigs.
There’s my dissertation on spyware, go get ‘em tiger!
Again Bravo to Marcel: I wish we had the backup from upper-management. Some of the users are quite convincing when trying to over-ride the agency policy related to IT.
We also have a problem with users getting spyware. We use the following for removal:
It seems to me that there isn’t just one program that can catch it all.
Here’s a couple of things that we are doing.
- Use BorderManager to block known malicious websites
- Use Spybot Search and Destroy along with Spyware Blaster
- Symantec AntiVirus Corporate edition 9 is supposed to block malware (have been using it for a month now, I still can’t confirm this)
- Dabbling with FireFox on certain workstations.
We have recently implemented desktop security enhancements using ZfD.
We removed all users from the local administrator groups and use DLU and
roaming profiles. Users are only added to the local “users” group on
the Windows workstations. We also use Group Policies to further enhance
the systems security settings. Since implementing those policies we
have not seen an alarm raised on our perimeter from the locked-down
machines. I think it is the only effective method by which you can
We are also looking at some http filtering
technology on our perimeter to scan traffic looking for known spyware.
The new release of Trend Micro’sOfficeScan has
some anti-spyware features be we have not tested it yet as the product
just came out the first week in July 2004.
We have eliminated most of the exceptions to the rule, even when it
comes to SVP’s and such, by working with top management and getting them
on board by really making them understand the consequences and
ramifications of not persuing a policy like this even on special
machines. For those few machines in the IT Department that need to be a
little more free we are careful with them and use Ad-Aware. Using
alternative browsers like Mozilla Firefox also helps.
Aside from installing “freeware”, using Microsoft’s Internet Explorer lately
to the browse the web has been one of the most common ways spyware and the
like spread. To combat, I’ve taken a more proactive approach using Internet
Explorer’s privacy and security settings along with software available on
the internet to populate its block functions. Since these settings are
effectively registry keys and values in Windows, you can also export them to
standard reg files and deploy them via a login script using “regedit.exe /s”
or import them into a ZENworks application object and roll them out that
NOTE: Prior to SP3 for ZENworks for Desktops 3.2, in order to import the
registry keys and values to block cookies from various domains you have to
convert the registry export file to an AXT to get them into an application
object. Otherwise the ZfD plugins for ConsoleOne will not understand the
non-standard default DWORD values that these settings are.
- SpyBot Search & Destroy (Immunize button blocks some known ActiveX
- SpywareBlaster (blocks some known ActiveX controls, cookies and domains)
- SpySites Plus
(large list of known domains to block)
Microsoft documents these “immunity” functions scattered throughout its
knowledgebase. Here are some of them…
- How to Stop an ActiveX Control from Running in Internet Explorer
- Description of Internet Explorer Security Zones Registry Entries
- How to Manage Cookies in Internet Explorer 6
- How to Restore Default Settings After Importing Custom Privacy Preferences
- How to strengthen the security settings for the Local Machine zone in Internet Explorer
On the clean-up front one of the authors from Network World recently
discussed the Cool Web Search nuisance [Editor's Note: Despite the cool name, this bad boy has NOTHING to do with Cool Solutions!] and a couple of utilities to help get
rid of it. See Not-so-Cool Web app
The Sysinternals web site provides quite a few free utilities to help troubleshoot and isolate tasks and processes running. Take look at Process Explorer, Filemon, Regmon, Autoruns, TCPView, and LoadOrder.
There are some extremely helpful programs which are available (some
free, some not) which can be used to prevent or remove spyware.
Here are some programs which can provide more preventative measures:
I recommend to everyone I know that they ditch Internet Explorer in favor
of Mozilla / Firefox. There are too many unpatched security holes and
too many malware writers who target IE and Windows in general. In cases
where Internet Explorer is required, however, IE-Spyad can provide a
measure of protection. It is simply a registry file containing a list
of restricted sites which malware authors use to ‘phone home’ or send
information. The list of sites is very large and is updated on a
regular basis. Pushing down these registry entries via ZENworks is a
- SpywareGuard / SpyWareBlaster
SpywareGuard, as far as I can tell, is unrestricted Freeware and is a
real-time scanning engine for malware. This program sits in memory and
looks for any malware which may try to hijack your system.
SpywareBlaster is free for personal and educational use only and is
similar to Spybot’s immunize feature where it blocks spyware from taking
- Spybot S&D
The only reliable, completely free for personal use, spyware scanner is Spybot Search and Destroy.
Some others include spyware themselves or are ad supported. If your
company intends to spend money on a solution, Ad Aware is the other
reliable choice. In either case, both should be used for maximum
protection as one will catch what the other doesn’t (Ad Aware’s spyware
database is more comprehensive, however) Spybot’s immunize feature is
similar to Spyware Blaster. Spybot, however, is completely free.
More information can be found at places such as:
There are other, more advanced tactics for dealing with software such
as using HijackThis and scanning the logs to get rid of hard-to-detect
browser hijackers and other malware, but this is a good start for
novices and experts alike.
If you are planning to deploy or use what claims to be an anti-spyware
tool not on this list, check the latter link first. Some spyware
removal tools contain spyware themselves!
We are currently using several tools to rid our system of spyware/adware etc. We are a 1,100 student school district with over 500 machines. We run Spybot search and destroy, Bazooka, Spywareblaster, X-Cleaner, aaw6, and the google toolbar. The combination has allowed us to become progressive in other areas instead of chasing problems.
We also have had problems with spyware — it has been some kind of relief
to see that we were not alone. To reduce the amount of spyware we have
used the blocklist available from spywareguide. We are looking at the use of spybot as well. I have found the postings from this Cool Solutions
article a great help.
I see a lot of the suggestions call for the use of Ad-Aware and they
claim that it is free. Yes, it is free for personal use, but if you are
using it in your commercial/government/education environment, the
license agreement says you need to purchase licenses to use it in that
environment. Granted, I love using Ad-Aware too, but the licensing for
these different programs get kind of sticky.
I don’t think that using a program like spybot or Ad-Aware is the right solution. You are fixing, not preventing, a problem. Prevention is the best solution. A firewall at the workstation level that is manageable from a central location would be the best, now where do we find that?
Has anyone tried BorderManager and “Novell Client Firewall”? I don’t think it is manageable from a central location unless you use ZENworks to push out the ini configuration files, which is not an ideal way, but some people are doing it.
Being in an Academic institution everyone must be able to do whatever they want, and a lot of the programs that we use require users to have admin privileges. The newest version of Webroot’s Spy Sweeper Enterprise seems to be promising. It has a centralized console, real-time prevention and does not require the nasty things like Windows file and print sharing or AD. It works like Symantec in the fact that it registers the client with the server, and for those with ZfD 4 and 6.5 it is an MSI install. They just released their latest version that is supposed to have a lot more functionality to it, and seems pretty good. It might be something to look at.
Spyware in our district usually comes from two places: Faculty that
doesn’t know what to do when an activeX popup appears; and students who
purposely download and install anything they can. Ideally, we don’t
want our desktops to be infected with spyware in the first place, so
that is where we’ve concentrated our efforts. We pushed two policies
down in one of our high schools that have worked better than I ever
1) Prevent anyone from downloading ActiveX Controls.
2) Prevent students from downloading anything.
Notice we’re not actually blocking ActiveX, since many legitimate
applications rely on it. ActiveX applications already installed on
machines will run just fine. Preventing the download of new ActiveX
Controls keeps the popup auto-installers in check.
In Internet Explorer, click on Tools – Internet Options – Security tab
- Select the Internet Zone – Custom level.
Here you can set the two policies mentioned above.
Click disable on “Download signed ActiveX Controls”, and for students,
under “File Downloads”, click disable.
We’ve pushed these items through group policies, but they can be pushed
through registry keys as well.
“1001″ DWORD – For preventing installation of ActiveX controls, set the
value to 3. (The default value is 1)
“1803″ REG_DWORD – For preventing file downloads, set the value to 3.
(The default value is 0)
We curently use Symantec corporate edition Anti-virus v9.0. I have talked to
their support reps recently and they claim that next version has things built
into it that are going to be capable of blocking spyware in the near future.
I am a small time CNE with about 15 small sites and have very little trouble with this when I setup a PC as follows.
On a clean Machine start with
Spybot 14 and or MSSpyware on the PC, also use the host file on all PC’s from here (MVPS HOSTS file is a free download).
This can be updated in the login script about every 1 or 2 months.
This along with the best and easiest firewall in the world SonicWALL TZ170 to the 3060 (these machines do it all) with all gateway intrusion prevention, spyware detection and content filtering on. (They call me the soup Nazi). Keeps even the users who MUST have admin rights to their machines SAFE. 500 PCs for the last 1.5 years and only 2-3 reinstalls (laptops). These NetWare 6.5 sites cannot afford ZENworks or a full time IT department, Just me. And it works fine.
Keep on Keep’n on.
A note to all: Spybot Search & Destroy is NOT freeware when used in a corporate, business, or government environment. There is a version that can be purchased for corporate use, but according to the Spybot S&D license agreement, the freeware version is for personal user only and cannot be used by corporations. Just wanted to give everyone a heads up. We wanted to use it here in our agency, but were denied use because of our corporate status, and decided we didn’t want to pay for the corporate license.
We have about 240 workstations, all running Windows 2000. Most employees have Power User access, but some have been granted Administrator rights, as they have laptops with swappable ROM/Floppy drives, or use handhelds, etc. On the server side, we have a Smelt proxy, and are running Squid and Websense, which works well for stopping spyware (and other intrusions) before it even reaches the workstation. Since the bulk of our users would have difficulty managing AntiSpyware software on their own systems, we pushed out Microsoft’s Antispyware through ZENworks to all workstations. Realizing that MA is not as thorough as some of the other free AntiSypware software, MA did allow us to easily schedule scans to take place on each workstation daily. The only real issue we have found with this is that MA does not let you specify any default actions when it finds spyware; which means MA acts how it sees fit, which is often to ignore certain spyware (like Claria), instead of quarantining or removing. However, it does display a message, and the user will then call IT and we can go in and tell MA what to do.
One thing we do that works well is to keep an “Illegal Software” log (this is done for audit purposes as well as a deterrant). If we discover spyware or any unapproved software (usually from a user reporting their computer ‘running slow’, through alerts from the server-side protection, or looking up inventory in Patchlink), we will visit the user to remove it. While we are right there, we enter everything into the log book, and explain that we have to document all ‘illegal’ software that we find on workstations for audit (which is true). We are careful to do this in a such a way that the user does not feel like we are angry at them (because we know how much spyware can come in without a user’s knowledge), but also making sure they know that this type of thing is being recorded, which will hopefully be more cautious, and/or stop inappropriate browsing/installing. Since we have installed the server tools, MA on the workstations, and begun using the log, our incidents of spyware or inappropriate software has dropped dramatically – from several instances per week, to maybe one per month.
I work for a Public Health Department where spyware is a definite no go (we don’t want any HIPAA related information being stolen by spyware). After using Spybot, Microsoft Windows Defender, AdAware, and McAfee Anti-Spyware plugin for VirusScan 8.0i to try and keep the nasties out, I found the total solution for my organization.
A BlueCoat ProxySG appliance from BlueCoat Systems Inc. at www.bluecoat.com It is an amazing proxy appliance that can be utilized by Proxy settings in your web browser or WCCP through your routers. Using their daily updated Web Filtering list, I have had zero spyware / malware / adware infections for the last year. Before we purchased the BlueCoat Proxy SG we were spending a total of 40 hours a week between 3 staff members reinstalling computers that had spyware on them that none of the previously listed anti-spyware programs could protect against or remove.
The most awesome feature of the appliance is its ability to connect to LDAP servers (eDirectory) and utilize username / password from your tree to authenticate and track internet usage. You can even limit down to the user or group in eDirectory when it comes to where they can go online. I love it! It even does bandwidth compression from the webserver to the appliance and from the appliance to the client PC, has instant messenger control, etc.
The whole setup with a BlueCoat ProxySG 400-1 appliance, SSL adapter (for control of SSL websites) and the web filter product from BlueCoat set me back about $6,000 on State contract. It has been worth EVERY penny!
I am admin in a K-12 environment. Your spyware software or appliance is only as good as your definitions are. There are many new ones that could get inside a network before the definitions gets updated with the ones that the vendors produce. There are two products made by Faronics that I would highly recommend to any Corporate, Government, Healthcare or Education environment. ANTI-Executable and DeepFreeze.
I have used both and can push them out by using ZENworks. Any public or lab environment computer, I would highly recommend DeepFreeze software. Any workstation that might have access to highly secure information or a computer that would take considerable amount time to reload do to internet spyware or installed freeware spyware programs, I would recommend Anti-Executable software.
The #1 thing we did to minimize spyware was to filter spyware-related
websites. We use Websense Enterprise content filtering software with the
Security PG option. This eliminated over 90% of our spyware problems.
I’ve used three methods to pretty much eliminate spyware from the 200+ machines on my network:
ZENworks Rogue app management:
If you set it to allow only apps that you’ve specifically listed in the registry, spyware won’t ever have a chance to run. See my previous article for more details on this. It takes a while to set up, but it kills 95% of the stuff out there.
NOTE: Rogue application management is pretty much useless against spyware unless you set it to block ALL applications that don’t have an exception in the registry. Spyware writers usually randomize their filenames.
A great proactive spyware program. Just make sure that you’re able to update your images or go ahead and buy the paid version with update services.
Registry permissions (XP/2000 only):
Create a group on your local workstations called “spyware” or something that you can remember. Go into regedit and select any key or value that might allow something to run at startup. Give the “spyware” group read-only rights to that key or value.
Registry values should always contain the “RUN” keys in HKLM and the explorer toolbar and Browser Helper Object keys. This will also prevent toolbars and other browser customizations from getting added.
Some important ones:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions
- HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Explorer Bars
NOTE: The last two should set up the HKLU defaults so that new users can’t add startup items to their own profile. If you already have a lot of roaming profiles out there it won’t do you much good.
Because of this, I haven’t really tested it too much. Use at your own risk.
Use this same group to restrict adding any files or folders at the root of the “Program Files” directory (but not subdirectories, of course).
Some important locations:
- C:\Documents and Settings\All Users\Start Menu\Programs\Startup [no write or modify]
- C:\Program Files [Protect the root of the folder only or bad things will happen. No create rights]
- C:\WINDOWS\SYSTEM32 [users shouldn't be able to create anything here, although this could gum up the works in some cases. Be careful]
Then, in your ZENworks DLU policy, create a local workstation group with the same name and add any at-risk users to it. The restrictions should then translate to any DLU users that have the policy associated to them.
This solution is probably only feasible if your machines are all reimaged centrally, since the configuration process is pretty involved. I’ve had limited success with utilities such as regperm that can assign rights on the command line, but there’s an “out of order” error that comes up with XP. Newer versions may work a little better. Let me know if you have luck with regperm or any similar app.
Remember that there are lots of programs out there that might be offended at such limitations – this configuration is primarily used on student workstations that have extremely rigid usage profiles. Thorough testing needs to be done before a configuration such as this can be free ranging with all your apps.
The good news is that, in case of an emergency, these restrictions can be switched on and off using the groups in the DLU policy.
If you have any questions you may contact Carl at firstname.lastname@example.org
We use a combination of things:
- CA – Pest Patrol
- Websense with the Spyware/Malicious Website Premium group
- Symantec 9.0
ZENworks manages the updates with the Pest Patrol by running the bat file to check the CA server for its updates. The bat file does the rest. To turn it off, we also use ZENworks to make the registry changes to the system so that it doesn’t run when the computer is cycled.
For the ultimate free protection – Peer Guardian 2 from Phoenix Labs, with Auto update and hidden so the user doesn’t see it. Easy to install and manage. We don’t use it here, but I use it out when I’m contracting on those VIP machines that get infected easily.
Regarding needing to be an administrator or power user to run software. My experience is that most software that won’t normally run as a limited user will run if you give write permissions to the associated program files subdirectory. That is, if your program, supercool, won’t run as a limited user, adding write permissions for all users to c:\program files\supercool will usually fix the problem. Usually, there is some file that the program updates as it starts. I only add these permissions as needed (i.e., I don’t allow all users to have write access to c:\program files). Often, it is only one file or just a certain subdirectory but I usually don’t take the time to figure out which file/subdirectory. I just add the permission at the top of the program’s directory under program files.
Occasionally, the problem is due to trying to update the registry. The solution is the same – add write permissions to the appropriate registry key. However, I’ve always needed help from a product’s technical support to figure out which keys had to have their permission changed.
I would also endorse the combination of Ad-Aware, Spyware Blaster, Spybot Search & Destroy, and wherever possible, Firefox. This is for Windows PC’s. I do not have any of these installed on my PC, because it runs Linux – Fedora Core 5 at home and SUSE 10 at work. I have not knowingly, in the last eight years, encountered any type of trojan, virus, malware, spyware, scumware, or adware on my Linux-based systems. Perhaps you folks in the educational sector will have a real shot at Linux desktops when the next NLD/SUSE comes out with integrated Novell login in the desktop manager login screen. Add ZENworks 7 Linux Management to that, along with Firefox and OpenOffice.org, and most school systems will have the core essentials.
We used to have a serious Issue with Spyware getting to the desktops. We
tried Ad-Aware, SpyBot, etc..
We deployed Novell Security Manager as our Firewall, Proxy solution and it has
done a fabulous job of filtering the spyware out BEFORE it gets to those
desktops. We still scan the Desktops as part of our Preventive Maintenance
plan, but the instances of Spyware on our desktops has dropped to the point
of being not worthy of a mention.
We still have a few notebook users here that while away from the office they
are vulnerable to SpyWare, for those we are using Ad-Aware.
First, my compliments to all of the suggestions. I also want to echo Shandi Druet’s concerns about most of the freeware referred to – they do have different licensing policies towards corporations. Please adhere to them – you don’t have a legal right to be using their free software if their license agreement requires you to purchase software, regardless of how infected your PCs are. I’ve written software (two years worth) that was taken from me – you don’t know how angry that makes me still. Please respect these professionals who publish the software.
Off my soapbox.
There are a bunch of great tools listed in the article, but few of them focus on the real source of the problem – prevention. Cleanup always stinks and is never-ending. We have a number of defenses in place to prevent spyware:
- At the browser – we prevent people from going to websites that are known to have spyware installs on them by using a product called SurfControl. It can monitor and prevent access to sites that you prefer your staff not visit, whether pornographic, gambling or spyware. As with any product that depends on it database to be up-to-date, it won’t catch everything.
- In email – we have an anti-SPAM server that scours our email, looking for so much nasty stuff, I wonder how it still manages to get email so quickly to us. The product is called ModusGate, put out by Vircom. This product is industrial strength and has the best tech support I’ve come across in years. In addition, their upgrades are practically flawless. We have an antivirus product within this SPAM server called Norman, that looks for virus-infected email at the same time it processes the email for SPAM. Downstream of our SPAM server, we have a different antivirus server, running McAfee’s WebShield product. Though it is an older product, it adds an extra layer of protection from computer viruses.
- On our desktops – we had so many issues with users “personalizing” their PCs and it was consuming so much of our resources in troubleshooting and reimaging that we implemented locked-down PCs using ZENworks for our clinical workstations. At first there was some grumbling, but within a few months, the payoff was huge. No longer are our clinical workstations getting polluted with useless tool bars, bogus screen savers or GAIN junk. We spend very little time troubleshooting or reimaging the locked down PCs. We’re looking to potentially push the policy of lockdowns to other places as well. McAfee 8.0i has a feature to scan for SPYWARE and ADWARE that is currently enabled on our workstations as well.
- Finally, we implemented a product called CounterSpy on our workstations. It is centrally managed and works well for our needs.
The best solution is get everyone involved: management, technical staff, and users.
Management should have a strict computer policy in place and enforce it. For example, users shouldn’t exchange their files by using their flash drive(usb). And all workstations much have some kind of client (like Symantec) installed.
The internet access gateway in the corporate network should implement some kind of features to filter out Spyware. And the gateway must be monitored. Technical staff should also have procedures created which they follow in response to Spyware found in a workstation. (How to dump a new image, then how to restore user’s data.)
Users should be educated. They should aware of Spyware when surfing the internet. They should be told to contact the IT department if something looks suspicious to them.
In response to Matt Pierce’s comment:
I assume it would be possible to (mis)use IdentityManager3 to trigger an automated workflow event if it finds a predefined alert wich was obtained through ZENworks Asset Management/inventory management. If detected, auto provision workstation with forced run anti-spyware software. If spyware is detected after software has been run, request imaging for that workstation, through IM3 workflow. Would be nice if it was approved first by HelpDesk….
I’ve not tested this, but it will be the third programming action I’ll do after implementing IDM3 in our company….