Help me make a list of exe's to check

A

Asgorath

[H]ard|Gawd
Joined
Jul 12, 2004
Messages
1,253
I want to check my network for spyware and chat programs. Please help me add to this list. Basically I'm going to search my network periodically for any of these. If they come up positive then i'll go to that machine and investigate further. I realize that just having one of these exe's is not full proof, but it is a good indication.

Thanks.

Chat:
C:\Program Files\AIM6\aim6.exe

Spyware:
C:\Program Files\MyWebSearch\bar\1.bin\mwsoemon.exe
 
You're looking at this kind of backwards. Why not perform a full audit of the machine and put in place proper protections to keep them from getting any malicious? First off, don't let your users run as administrators. Second, get a good corporate anti virus. That right there will drastically cut the number of malware infections you receive.
 
MorfiusX said:
You're looking at this kind of backwards. Why not perform a full audit of the machine and put in place proper protections to keep them from getting any malicious? First off, don't let your users run as administrators. Second, get a good corporate anti virus. That right there will drastically cut the number of malware infections you receive.
Click to expand...


We have norton AV corporate. They need to be admins to run some of our custom company software. We run regular spyware checks.

But people keep on installing smiley central even though we tell them not to and we don't want it on the network. Also, some people are sneaking chat programs on and we need to keep track of those people and reprimand them. We already blacklist alot of sites on our firewall, but a good list of these would be helpful. There are some spyware programs that don't always register as spyware.

Plus we don't have a corporate spyware scanner. We're thinking of getting one, but don't have one yet. Maybe I can find a command line based one that way I can run psexec to run it.
 
Use software restrictions in group policy to block the applications and installers.
 
Asgorath said:
They need to be admins to run some of our custom company software.
Click to expand...

At my current job we have a ton of custom coded software the devs claim needs full admin, we just run filemon and regmon on a user or users until we find exactly what files they actually need access to and give them r/w to those keys/folders.

Can be a pain to get rolling but definitely better than full admin access.
 
Malk-a-mite said:
At my current job we have a ton of custom coded software the devs claim needs full admin, we just run filemon and regmon on a user or user until we find exactly what files they actually need access to and give them r/w to those keys/folders.

Can be a pain to get rolling but definitely better than full admin access.
Click to expand...

Dito to this. This a common procedure in larger network where policy dictates that no user run as an administrator.
 
Maybe in the future... we have so many projects that reducing user priveleges isn't at the top of the list.
 
I think you can prevent users from installing things through AD, but I don't remember how to do that.
 
protias said:
I think you can prevent users from installing things through AD, but I don't remember how to do that.
Click to expand...

You have two options, don't let them run as admins (preferred), or use software restrictions and block given files by hash.
 
Asgorath said:
Maybe in the future... we have so many projects that reducing user priveleges isn't at the top of the list.
Click to expand...

Here is what I am hearing: "We have a problem, but we don't have time to deal with it."

The time you spend properly securing your systems will be far less than the amount of time you spend reacting to a problem caused by lack of security. Security should always be one of IT's top priorities, because most of the time it is not for everyone else.
 
MorfiusX said:
Here is what I am hearing: "We have a problem, but we don't have time to deal with it."

The time you spend properly securing your systems will be far less than the amount of time you spend reacting to a problem caused by lack of security. Security should always be one of IT's top priorities, because most of the time it is not for everyone else.
Click to expand...

I'm not trying to discount the fact that security is important, but in my job I don't have final say. I was told to get rid of these clients, the first step in getting rid of them is detecting them. I don't get to make the choice to redo the entire security system of all the users. That choice is lengthy and expensive. If I were an outside consultant, I'd be all for it. But I'm just an employee. We use alot of internally developed programs and it would take quite some time to figure out how to set the security for the users just right so they didn't have all sorts of weird problems. In the mean time, we'd be losing productivity and losing business while me and the other IT guys try and figure it out.

My boss' saying to me, is that his business brings in ~$20k/day. If I knock down the network or otherwise inhibit the business from running, they're dead in the water.

That security upgrade might be possible if we're at a slow point where I could take 2 or 3 users and kind of beta test the security on them. As they had problems I'd troubleshoot it and log what I did. After they didn't have any more problems, I could try it with some other people applying all the security tweaks I've learned so far.

What you're suggesting is a lengthy process. We don't have the time to deal with that process right now. I'm not discounting that process and we've tried it before. Too many problems cropped up and we made everyone local admins. That has been working for ~3 years now with few problems. That's why we haven't locked down the security...because the local admin strategy has worked fine so far. Occassional problems, but not very many. Re-doing every client machine is an idea in torture.

Sounds like I have no support on this one here, I'll have to check it out myself.

Thanks anyways.
 
Could you not use Group Policy? Using a software restriction policy you could lock out the paths to the programs. I have a feeling this is what you were getting at in the first place. Under Software Restriction Policies and Aditional rules (this is certainly under Local Security settings, I presume GP has it too.
 
Asgorath said:
Sounds like I have no support on this one here, I'll have to check it out myself.

Thanks anyways.
Click to expand...

What people are actually saying is that researching the fix for a limited set of known apps (most companies only use 20-30), takes a lot less time than locating the thousands of applications and the details that you need block spy ware or other unwanted programs.

Especially since the really pernicious one's mutate their names and file locations with every install.

You think it would take longer and be more expensive to fix it right.

It's not. Do a cost/benefit analysis.

Blocking requires an ongoing, at least linear utilization of resources. New bad things are released at an ever increasing rate. Assuming you gain efficiency in blocking over time, your best case is a fixed budget drain into perpetuity.

Allowing only what you need to run typically follows an exponential down curve of resources until you have your environment correctly established, then time/budget is required ONLY when a new application is integrated. Most businesses don't deploy completely new applications on a cycle that comes anywhere near the new availability of the things you want to block...

The first time you do it by blocking is cheaper. Getting to do it 18 more times in 18 months is not.

Don't be an IT employee at your company, be an IT Professional at your company.

You are an "IT Professional" when you present business reasons for implementing technical solutions for supporting business requirements. Give managers business reasons (money) for making better IT decisions. The right thing is only the right thing for the business if it affects the bottom line in a positive fashion. When it comes to money, they get that. Put the ongoing requirements versus the project to actually fix it in cost benefit analysis terms.

While drawing up the business analysis, I'd go ahead and block the four biggest threats that are currently causing issues in your environment, but make sure management is aware of your cost benefit analysis before spending more time on a block only implementation that will only go on forever.
 
You mentioned that you block a lot of sites at the firewall.. what about outbound ports / protocols? Can't you block AIM all together there and make tracking down client installs moot?
 
da sponge said:
You mentioned that you block a lot of sites at the firewall.. what about outbound ports / protocols? Can't you block AIM all together there and make tracking down client installs moot?
Click to expand...

AIM is easy enough (5190 if I remember correctly) - but a lot of other clients will fall back to sending out on port 80.
 
we used this with quite a bit of success:

http://sourceforge.net/projects/ocsinventory/

or, if your boss is raking in 20k a day... how about he sends you off to MS training and you come back prepared with the tools to fight this battle? SMS server, microsoft MOM, there are a plethora of tools that integrate right into your domain that make this job as simple as opening up an mmc.

start with the OCS. stick it in your users logon scripts. read the data, kick some butts.
 
You must log in or register to reply here.
Back
Top