Enterprise Spyware application(s)

[Steve]

I've been asked to investigate the possibilities for a spyware/adware application (or applications) for our office. We have typically 350-450 users in the building every day (M-F) and probably 150-250 more deployed nationally and worldwide. All are running Windows XP with Service Pack 1, except for a small handful who have slipped through the cracks and are still on 2000 (laptop users deployed during the upgrade), but they will be upgraded. This is on a mixed Windows (AD) and Novell Netware network. Free is nice, but we're anticipating a pay requirement due to the number of clients, licenses, etc.

I'm a believer in kilobytes of prevention rather than megabytes of cure, so what I think would be ideal is immunization rather than regular cleanings. So far I like SpywareBlaster, but I have not yet contacted them on their pricing. I like what I hear about the MS AntiSpyware tool, but I don't know what their pricing will be like when the time comes, nor do I know about the app itself - to what extent does it do cleaning vs. immunization, etc. Plus if it turns out to require SP2 or the .Net framework, we don't want it. So, what's a good choice for an application or two that will allow us to clean a client's computer when needed, but provides immunity as well? Basically we don't want to have to run everywhere running Ad-Aware and SpyBot all the time.

 

[Steve]

bump?

 

[agnitrate]

I'm not sure how it fits into the enterprise community, but here goes :

I use a Quadra-headed approach on these malicious software types :

Ad-Aware - scanner
Spybot - scanner
SpywareGuard - real-time protection
SpywareBlaster - immunization like you have used

I also use Firefox with the Adblock extension, but that's not crucial since most enterprises use IE. I have almost zero spyware on my computer after running this config for > 6 months. It's wonderful when software works. Now somebody just has to package them all together...

I'd like to know what corporations use to keep their users in order in this sense.

-silver

 

[Zugzwang152]

depends on the level of infestation you have. Spybot is free for all uses, even commercial settings, AFAIK. That and Ad-aware may be enough for the vast majority of maintenance, provided you don't have incredibly dumb users. Lavasoft requires licensing for commercial settings though, and I imagine it can get quite expensive with that many users.

If these are generic workstations shared by many people, you might be better off with something like Deep Freeze, which resets the registry and does a full scan and erases all files not saved in its original image. we use this program in the labs at my my school. It's like having a fresh image restored to your system after every reboot. The downside is that it takes a good 30 minutes to scan during which the hdd is thrashing and its 100% cpu usage. well worth it in my opinion.

 

[dunkster]

The concensus opinion at many of the 'security forums' is that you can't have too many anti-spyware tools.

These three are almost mandatory:
- AdAware
- Spybot
- Immunization with SpywareBlaster.

I tried SpywareGuard real-time scanner for a week or so. It's scanner misses items found by AdAware and Spybot on-access scans. I bought and recommend Spyware Doctor, for an excellent combination of effective real-time and on-access scanning.

Hope this helps!

 

[torpid]

Keep in mind that just having the software on the machines is only one part. You need to have some automated system of deploying or downloading updated definition files on the machines as well. Some products do not do this in the free version.

 

[Steve]

Any opinions on Pest Patrol?

 

[Grminalac]

I have had mixed results with spyware removal programs, they work, but don't seem to be dependable. We are running symantec corporate 9 and it detects spyware but with mixed results, i ahve used others such as ad aware and spybot, but they produce mixed results. Have you considered purchasing a content filtering unit for your network and just laying down a policy on only visiting work related sites? That has reduced infestation where I work considerably. Having win xp with sp2 and correctly setting user permissions has helped as well.

 

[SagaLore]

I'm anxiously awating for PatchLink's spyware plugin to come out. Since we're already in the works of buying a patch management solution, we can kill two birds with 1 stone, much more cost effectively too.

 

[Steve]

Had an interesting experience this morning.


Visited a user whose IE start page and search page were changed. He would reset them, but they would change back to the bad pages. He'd also get three extra favorites and a folder in his favorites list, which even when deleted would return. A co-worker of mine had already run a scan and cleaning with an updated Ad-Aware yesterday.


I ran Ad-Aware again and found some junk; cleaned it out. Then I installed SpyBot, updated it and ran a scan; cleaned out a little more junk. Also installed the Google Toolbar, SpywareBlaster and SpywareGuard. The latter kept giving me warnings about the start and search pages changing, as well as BHOs trying to install. Between this and TeaTimer's warnings I would prevent installations and changes, but the warnings kept coming. Even tried some of this in Safe Mode.


I next tried CWShredder and it found a culprit, but that cleaning did not fix the problem. I then did PestPatrol's free online scan, and it pointed me to a number of files and registry entries that I cleaned out. Still, the problem persisted. Finally, I installed Webroot's Spy Sweeper and did a sweep. Found the guilty parties and summarily executed them. Also enabled "shield" settings a la TeaTimer. One other thing was the SpyBot's SDHelper wasn't working, had to download its .dll to fix it.


This experience has been my initial exposure to both PestPatrol and Spy Sweeper, and up until now the consensus has favored PestPatrol. I'm surprised it wasnt' able to deal with this harsh infection, which Spy Sweeper easily took care of and provided future protection (for 30 days). Can anyone confirm if the enterprise version of PestPatrol is at least as good as my experience with Spy Sweeper?


I've also signed up for the network version of SpywareBlaster, so I'll see if that's any better than the current program when it becomes available. I'd really like to see where in SAV 8 (Corp.) one can toggle settings for spyware/adware files.

 

[SagaLore]

Originally posted by: sm8000
This experience has been my initial exposure to both PestPatrol and Spy Sweeper, and up until now the consensus has favored PestPatrol. I'm surprised it wasnt' able to deal with this harsh infection, which Spy Sweeper easily took care of and provided future protection (for 30 days). Can anyone confirm if the enterprise version of PestPatrol is at least as good as my experience with Spy Sweeper?

PestPatrol was bought out by Computer Associates.

At my last security training class, our instructor told us this joke: "Computer Associates is where good products go to die."

 

[Schadenfroh]

Originally posted by: SagaLore

Originally posted by: sm8000
This experience has been my initial exposure to both PestPatrol and Spy Sweeper, and up until now the consensus has favored PestPatrol. I'm surprised it wasnt' able to deal with this harsh infection, which Spy Sweeper easily took care of and provided future protection (for 30 days). Can anyone confirm if the enterprise version of PestPatrol is at least as good as my experience with Spy Sweeper?

PestPatrol was bought out by Computer Associates.

At my last security training class, our instructor told us this joke: "Computer Associates is where good products go to die."

lol

 

[kermalou]

Originally posted by: agnitrate
I'm not sure how it fits into the enterprise community, but here goes :

I use a Quadra-headed approach on these malicious software types :

Ad-Aware - scanner
Spybot - scanner
SpywareGuard - real-time protection
SpywareBlaster - immunization like you have used

I also use Firefox with the Adblock extension, but that's not crucial since most enterprises use IE. I have almost zero spyware on my computer after running this config for > 6 months. It's wonderful when software works. Now somebody just has to package them all together...

I'd like to know what corporations use to keep their users in order in this sense.

-silver

same as what i do, exactly to a T

 

[SaintTigurius]

Microsoft anti-spyware its in beta but its KICK AsS.....

 

[Codewiz]

MS antispyware is going to be free.

 

[Diz2K2]

It will also solve your browser hijacking issued. Try MS antispyware

 

[Steve]

Originally posted by: Codewiz
MS antispyware is going to be free.

I just found that out today too. Now I'm torn between that and Firefox, but I haven't tried either at the office.

SagaLore, some of our admins have the same sentiment about Computer Associates. I think we're using their backup software but looking for something better.

 

[SagaLore]

Originally posted by: sm8000

Originally posted by: Codewiz
MS antispyware is going to be free.

I just found that out today too. Now I'm torn between that and Firefox, but I haven't tried either at the office.

SagaLore, some of our admins have the same sentiment about Computer Associates. I think we're using their backup software but looking for something better.

We went from Veritas to CA's ArcServe. The reason we left Veritas was because we just renewed with a huge license fee while still on NT4. A few months later we migrated to 2k Server. During the weekend event, we found out that Veritas would not install. Our license covered 2k, but did NOT cover 2k Advanced Server. Veritas would NOT give us a license key for Advanced, would NOT let us pay the difference for it, and told us we have to pay for all new licenses which cost even more than what we just paid.

So for about 6 months we used 2k Backup Utility.

So after some testing we went with ArcServe, which was convenient since we had just gotten CA's InoculateIT antivirus too. Got a great deal. Unfortunately our backups are only about 75% reliable because their alert manager software sucks and often a job gets hung up indefinitely without any notice. But it doesn't matter much anymore because now we replicate all our remote servers to a single EMC and then replicate it again to a warm site.