Net Admins: Active spyware protection. What do you use?

Discussion in 'Networking & Security' started by Coldtronius, Mar 13, 2006.

  1. Coldtronius

    Coldtronius Gawd

    Messages:
    635
    Joined:
    Mar 1, 2006
    Ok Admin guru's, im gonna pick your brain and expertise. I work for a local IT firm and alot of our clients are small based businesses and a lot of single customers who simply don't the brain power, time or ability to use indepth spyware removal tools and cleaners other then SpyBot and Adaware.

    Those work great, WHEN UPDATED AND USED but my company is really looking for an "invisible" solution to where it will sit byitself, keep most of the basic spyware junk out of a machine, update it self with definitions and be intelligent enough to block bad things and allow good data to flow through without throwing up a damn window every single time asking the customer what to do!

    We have been using SunBelts Counterspy as a single client and as a LAN based enterprise active protection on our network for the past few months but there is no way to tell it to shut the hell up. Every single freaking packet that passes through WAN connection it asks the client what to do with it. Hell, half the time I dunno what to do with it, so whats the average consumer going to do? I can't give a seminar to every fricking client on Do's and Don'ts, use Firefox, don't go to bad websites that look like 12 year olds built it, don't use P2P programs.

    What have you guys been using/recommending to clients? I could really use some feedback as trying to "teach" people how to use the internet saftely isn't working, especially when it comes to clients kids.
     
  2. YeOldeStonecat

    YeOldeStonecat [H]ardForum Junkie

    Messages:
    11,330
    Joined:
    Jul 19, 2004
    Haven't used Sunbelts version..but most centrally managed packages allow you to create a custom configuration to push out to the clients, making it automatically perform actions based on what you say.

    What antivirus are you using? I've seen my clients malware problems take a big drop since moving to NOD32 antivirus..since it's quite strong in ad/spyware detection. Kapersky is also very strong in this area.
     
  3. Coldtronius

    Coldtronius Gawd

    Messages:
    635
    Joined:
    Mar 1, 2006
    Most of our clients have been using Symantec software of some kind. Im looking more for single computer based solutions but network is also needed. Can you give me info on NOD32 on how well it does its job in comparison to Symantec? What are the prices for single client and network solutions? I need to present this info to my CEO so we can come up with a plan.
     
  4. shade91

    shade91 Guest

    Nothing. No need for spyware protection when my users don't have administrative access on their PCs. Hence, they can't install anything.
     
  5. LoStMaTt

    LoStMaTt 2[H]4U

    Messages:
    3,185
    Joined:
    Feb 26, 2003
    This is good practice, but not always possible to use in some environments.

    The best method is to stop spyware at its source: Maliscious websites.

    Web filtering can be key in the fight against spyware.

    www.surfcontrol.com
    Not the cheapest solution, but it is the ultimate solution.
     
  6. QwertyJuan

    QwertyJuan [H]ardForum Junkie

    Messages:
    11,425
    Joined:
    Aug 17, 2000
    my machines that aren't locked down use MS Anti-spyware... works like a charm.

    QJ
     
  7. amenthes

    amenthes Limp Gawd

    Messages:
    324
    Joined:
    Sep 21, 2005
    We use a SonicWall appliance, which isn't terribly cheap, but isn't that much either. That and a combination of almost no one having admin rights and Trend AV seems to be the cure for the common spyware.

    Can't really speak to how well the SonicWall works though, it was implemented at the same time that admin rights were removed from everyone... not too good for proving the SonicWall's effectiveness.

    As far as anti-syware software MS AntiSpyware has been the easiest and most maintenance-free that I've used.
     
  8. shade91

    shade91 Guest

    I've been able to do this with practically any system running modern apps. Our graphic designers though use picky applications. I keep a very tight leash on their browsing habits though. They know they're being watched.
     
  9. Coldtronius

    Coldtronius Gawd

    Messages:
    635
    Joined:
    Mar 1, 2006
    Unfortuantly, I rarely have the ability to lock down local machines with plain user rights. Weve tried it in the past, and we just get continual complaints of "This won't load" I keep getting this message! "Were gonna fire you if you don't give us access to our stuff!"

    Most of our clients need full administrator access to things. Thats how my company operates on the basis of our needs of clients. Is it the right way? Probably not, but im just the tech and my CEO won't sway away from it.
     
  10. YeOldeStonecat

    YeOldeStonecat [H]ardForum Junkie

    Messages:
    11,330
    Joined:
    Jul 19, 2004
    I can only say from personal experience in how NOD32 is better than Symantec Corp Edition. I'm a consultant for small business networks...I've been doing so for many many years. My most popular antivirus application in the past was Symantec Corporate/Small Business Edition....since I mostly took care of networks, not so much stand alone PCs. I'd been using that pdoduct since around version 5. Also did quite a few McAfee as well as some Computer Associates ones. For the stand alone or very small peer to peer networks...I did the Symantec retail product....although I started disliking that around version 2003.

    A couple of years ago, as ad/spyware began getting more common of a problem, I started looking for other products. I looked at AVG, NOD32, and Kapersky...and settled on NOD32...Kaperky at that time was too big of a hit on system performance, made the machine waaaay too slow. They have since gotten MUCH better, but I'm already with NOD32.

    I can tell you that since going with NOD32, problems have dropped significantly. Also, as my clients licensing with Symantec expires, most of them I'm replacing with NOD32. What's cool...is the night I replace Symantec Corp Edition with NOD32 on their network...it's funny seeing NOD32 reporting in from workstations on the management console as it finds stuff Symantec (or whatever AV product they had before) never saw.

    Some other things I do as "Best Practice". Every workstation I setup for a client...when I receive the box, I unbuckle the OS...install every Windows update. I then install Spybot S&D... update and immunize, as well as SpywareBlaster..update and protect, the Google Toolbar into IE to help cut down on misleading popups, AdAware, CCleaner, and Microsoft Defender...updated. As well as my other usuals like the latest Macromedias (without Yahoo bar), Quicktime (pulled out of the systray and quickbar), Java, etc. I do the latest of all the stuff they need on the net..so I can guide the install and make sure the extra "fluff" doesn't get installed...which it would if you left these installs to the customer.

    Now...each time you go visit your clients onsite....you take a few extra minutes to go around and update Spybot and SpywareBlaster.

    The majority of my clients all have local admin rights...as most of then run software that needs this. Since adopting those best practices I listed above...I really don't run into ad/spyware problems with my clients.
     
  11. ethos747474nikon8989

    ethos747474nikon8989 Limp Gawd

    Messages:
    204
    Joined:
    Jan 17, 2006
    Group policy keeps anyone from installing anything. Its pretty much bulletproof for all intents and purposes. We have a few cases where we cant do that and Symantec antivirus corprate does a pretty good job. It has anti spyware in it and it auto updates and runs on its own. It's not 100% though. Those machines never die because of spyware and the users never see enough to complain but I see the machines throwing oddball stuff at the IDS system. So they do still have some spyware but not a noticable ammount.
     
  12. da sponge

    da sponge [H]ard|Gawd

    Messages:
    1,133
    Joined:
    Aug 23, 2001
    GFI Download Security.


    I don't have ANY spyware and haven't for years. The best thing to do is cut it off before it gets to the end user. Everyone in my company runs through an ISA firewall/proxy and DownloadSecurity sits there as a http/ftp filter, quarantining any executable and blocking most other harmful content types. If you don't allow activex/exe/whatever other installers, you can't get spyware. It also does virus/trojan scanning and checks compressed files. A nice side benefit is that IM viruses are of no concern for the few users that use IM because they all have relied on downloading from a 3rd party site.

    We also have NOD32 on the desktop, but it rarely complains about anything since traffice is effectively filtered at the border. Defense in depth is good though :)
     
  13. Ezekial

    Ezekial [H]ard|Gawd

    Messages:
    1,684
    Joined:
    Jun 7, 2004
    I keep hearing good things about NOD32, especially here, so I may have to give it a try sometime.

    For me.. I used, and have installed some of my clients (no longer clients, moved accross country) NAV corporate. It seemed to do the job fairly well, and I didn't really have any problems with spyware either. After I would visit a new client with spyware, remove it, and do a little educating (sometimes add Firefox, or even hide IE icons) and tell them to use Firefox for general browsing and IE for known sites (like business sites) my spyware calls were cut 3/4 or so. SP2 seemed to do a lot to help as well.

    As for spyware... I normally just stuck Adaware on the machines, and updated for the the client, and would reupdate when I visited the machine. Normallly monthly to bi-monthly.
     
  14. ZoT

    ZoT [H]Lite

    Messages:
    110
    Joined:
    Jan 27, 2006
    lol, hardly any software needs local admin rights, you people just aren't trying hard enough to get around that and lock the workstation down as it should be.

    Microsoft Defender + locked down rights is all that's needed, I personally don't buy into any antivirus package that deals with antispyware too, they all suck, they need to be two separate applications each with its own purpose.
     
  15. Cadsworth

    Cadsworth Limp Gawd

    Messages:
    216
    Joined:
    Jun 4, 2002
    -activex/exe/whatever other installers-
    Absolutely, I would do this at a zone level. Only allow trusted sites to have access to use activex file download etc. Disable most of the options for the internet. If they need to have access to a page, it is easy enough to have them add it to the trusted sites. Should keep machines clean as far as unwanted spyware. Users are always a problem as long as they have admin rights. As far as software I say go with Windows Defender/MS Antispyware, does a pretty good job, and has a dummy mode where users aren' t prompt.
     
  16. Coldtronius

    Coldtronius Gawd

    Messages:
    635
    Joined:
    Mar 1, 2006
    Unfortuantly, setting trusted sites on single walk in client machines won't work for obvious reasons.

    I guess I should state that im looking for more singular active spyware protection software for walk in clients and home users rather then just removal tools like Spybot and Adaware. Our business clients are always behind some type of firewall with antivirus protection but we don't enforce user rights, it simply doesn't work with our clients.

    Typical Scenario

    Average Joe walks in: Hi, my machine is slow/acting funny/ not working poperly.

    Me: Ok, well take it in, more then likely virus/spyware startup program problems. Depending on severity, we may just backup data and rebuild system. We'll call you.

    Average Joe: Ok, thanks so much

    Me:
    Carries HP/Dell/Clone to workbench and boots up

    1. Good God, start up program hell. Time for MSCONFIG

    2. Thats better. Hmm none or expired antivirust protection, figures

    3. Install some type of antivirus free or paid *depending on client*

    4. *Part I need advise on* Install active spyware blocker that won't
    cause confusion for the customer. It sits there, it does its job invisibily.
    Period. Fineto.

    5. Add manual removal tools like Spybot and Adaware and consult on use.

    6. Fully patch Windows
     
  17. typhoon43

    typhoon43 2[H]4U

    Messages:
    3,931
    Joined:
    Apr 5, 2001
    Layered approaches work great:
    1) Some form of on-access scanning Antivirus software that is update FREQUENTLY
    2) Restrict access (dont't allow users install rights)
    3) Filter the Web with Websense or Surfcontrol

    We've only had about 3 machines in the last 3 years get infected, and one had local admin access somehow.
     
  18. Zamboni

    Zamboni [H]ard|Gawd

    Messages:
    1,074
    Joined:
    Jun 1, 2004
    Microsoft AntiSpyware and some tweaking on the firewalls and DNS servers. We also had an outside company screen the spam emails out first. We had two critical applications that insisted on local admin rights, so locking things down wasn't an option.
     
  19. amenthes

    amenthes Limp Gawd

    Messages:
    324
    Joined:
    Sep 21, 2005
    So it sounds like you're dealing with client machines that you really have no control over and are just cleaning then sending back into the world....?

    I mentioned it already, and so have others, but Microsoft Anti-Spyware is really the simplest to use and it has a mode that won't bug users everytime something happens. It is active protection, not just a removal tool.
     
  20. YeOldeStonecat

    YeOldeStonecat [H]ardForum Junkie

    Messages:
    11,330
    Joined:
    Jul 19, 2004
    I agree about Microsoft Antispyware (now called Microsoft Defender) being a good product. Decent detection, decent removal, some great advanced tools that most people don't dig into. Self updating, (how many freebie apps do that, plus real time protection)

    However it's not much of a long term solution...as it currently is only running in 6 month beta trials...expires in 6 months if the end user doesn't notice the popup balloon at the end of the 6 month period.

    So most of those computers you sent out a year or so ago...most likely it hasn't been running since last July.
     
  21. Coldtronius

    Coldtronius Gawd

    Messages:
    635
    Joined:
    Mar 1, 2006
    How would you compare SpyWare Blaster to MS Antispyware?
     
  22. YeOldeStonecat

    YeOldeStonecat [H]ardForum Junkie

    Messages:
    11,330
    Joined:
    Jul 19, 2004

    Eh...close...the best antispyware application is Webroots Spysweeper.
     
  23. Coldtronius

    Coldtronius Gawd

    Messages:
    635
    Joined:
    Mar 1, 2006
    Yeah, but it aint free for the full version.
     
  24. ethos747474nikon8989

    ethos747474nikon8989 Limp Gawd

    Messages:
    204
    Joined:
    Jan 17, 2006
    I guess I could be the guy who mentions linux as a possible solution. No I'm not starting the OS debate I just thought it is worth mentioning that I have toyed with the idea of using linux for desktop users. At one point for cost and a few other reasons I had 3 of our "geek friendly" users try using linux boxes I set up for about a month. I'm not saying that I'm a linux guy and if I were better with it maybe things would have gone better.

    On the up side they didnt have any issues with spyware or virus's.

    On the downside I couldnt get enough of our applications to work to make it worth it.

    The basics like open office, web browser, email through exchange and messenger worked great. The little things that I couldnt figgure out like software they had previously bought that I couldnt get WINE to run properly eventually caused me to give them windows back.

    It's would work easily enough if you have users who don't need much more than office and email. Not saying it wouldnt do whatever you want I just never figgured it all out.
     
  25. omega-x

    omega-x 2[H]4U

    Messages:
    3,073
    Joined:
    Jun 21, 2003
    as someone said earlier, there's no need for tough anti-spyware as long as you force the use of firefox (leave IE, just allow it access to a whitelist of websites)

    case in point... dad's PC, removed the IE icon, installed firefox, gave it the IE icon and name, explained that. install IEview extension for when its NEEDED and explain THAT and the RISK of it.
    cases of spyware on that pc since? 1. in a year. instead of 1 or 2 a week.
     
  26. YeOldeStonecat

    YeOldeStonecat [H]ardForum Junkie

    Messages:
    11,330
    Joined:
    Jul 19, 2004
    Or better yet..."Opera!"

    However..it's tough to do. A while ago when the "Firefox" bandwagon got trendy, I tried getting a few clients flipped over to using it. One time I flipped a law firm over to having it on their desktops..but certain judicial websites they go to on a dialy basis did not function correctly. And I got that often with many other clients...some of their mainstream websites that they use on a day to day basis simply don't work correctly. Even with Opera. I got tired of my cell phone ringing off my hips "Waaa...my <>blahblah> website doesn't work..what can I do?"

    Ends up being easier for me to just spend an extra minute on each machine and beef up IE....which in reality since SP2 for XP came out....really is quite resistant now.
     
  27. YeOldeStonecat

    YeOldeStonecat [H]ardForum Junkie

    Messages:
    11,330
    Joined:
    Jul 19, 2004
    Whoops..my bad..for some reason my brain went fritz and I read that as Sunbelts product...Counterspy I think it's called".

    Yeah..I use SpywareBlaster on a lot of clients with higher risk. It's not a removal tool, or a scanner, it's more an blocker...think of it as a condom for your web browser...it protects IE as well as Firefox.
     
  28. Pr3z

    Pr3z Limp Gawd

    Messages:
    295
    Joined:
    Oct 10, 2005
    Coldtronius:

    Was wondering what you use to back up a clients data, programs and ect before trying to clean their hard drive?

    I have several machines here at work I would like to back up programs and ect so that if there was a failure, a quick resotre can add the programs back to a fresh windows install without having to use the disks.
     
  29. Coldtronius

    Coldtronius Gawd

    Messages:
    635
    Joined:
    Mar 1, 2006

    We are not held liable for clients data, it is there responsibility. We do our best to maintain data integrity and if I sense a major problem or possible system crash, I back up the data usually either to flash drive or CDROM before pursuing any further.

    I've yet to "crash" a machine as a result of cleaning and reparing it and i've gone through hundreds. I always leave myself a saftey net so that if worst comes to worse, I can still retrieve data if a system totally tanks.
     
  30. Ezekial

    Ezekial [H]ard|Gawd

    Messages:
    1,684
    Joined:
    Jun 7, 2004
    I SO disagree, it's not funny

    that application brings even the fastest machine to it's knees with all the running process' that program has. Does some intensive scanning with the realtime scanner.
     
  31. Pr3z

    Pr3z Limp Gawd

    Messages:
    295
    Joined:
    Oct 10, 2005
    Understandable about the not liable part.

    But lets say hypothetocally. How would you recover programs last in a crash? The documents, and ect could be saved before hand but what about the programs? Do you image the pc before hand or just grab vitial documents, pictures, music, and ect? Sorry to pry just trying to get a better understanding of how others do it, to maybe simplify or do it better than I do now.
     
  32. Coldtronius

    Coldtronius Gawd

    Messages:
    635
    Joined:
    Mar 1, 2006
    Nope, I don't worry about programs. Programs can be reinstalled and rebuilt. Data can not. I always play a balance game when im dealing with spyware/virus/program/kid trashed machines. Besides, what good will imaging a trashed OS do anyway is my viewpoint.

    If im dealing with a machine with large amounts of problems and it would take X amount of my time and times that by Y, how much I charge an hour and then theorize if the system would even still be stable and reliable after that amount of work vs Z, backing up the data, wiping the HDD, restoring the computer *if possible* and giving the customer a brand new clean slate.

    80% of the time, I end up backing up data, nuking the HDD, rebuilding it, fully patching windows, throwing on a Antivirus of some kind and consult with customer on how to prevent the problem in the future, the customer has always walked away happy. I"d much rather rebuild a machine and have a clean slate for a client rather then band aiding a broken machine to work for awhile only to end up back in the shop a few weeks later with the same or another problem and I end up rebuilding it anyway.

    Not only does that convey bad image for my company, but the customer ends up loosing more time, money and patience as well, never a good thing.

    Im honest and sincere with my clients, I continually keep in contact with whats going on, what im finding, the pluses and negatives of both aspects of cleaning vs rebuilding and let the customer make the decision.
     
  33. shade91

    shade91 Guest

    That is why you test the applications on your network on a 'limited user access' account before implementing it.

    I've gotten that from my users. I tell them to f**k off and that they aren't my boss. I've said it to a few directors here. Only people who can touch me are the IT director and company owner. Last I checked they both liked me :).

    It's a smart method of doing business. First you set them up with something bound to fail. Network fails, then you fix it, then you profit. As this cycle completes and restarts.. your company stays alive. Not being sarcastic.. but I've seen this plenty :).
     
  34. leaving0hio

    leaving0hio n00b

    Messages:
    6
    Joined:
    Mar 10, 2006
    we run spybot hidden through the command line as a scheduled task - it updates, immunizes, scans, and cleans.
     
  35. YeOldeStonecat

    YeOldeStonecat [H]ardForum Junkie

    Messages:
    11,330
    Joined:
    Jul 19, 2004
    Slows down..yes, to their knees...I disagree...I've seen much worse. But as a removal tool...in many many comparison articles I've read...it's tops in detection and removal.
     
  36. Kaos

    Kaos [H]ard|Gawd

    Messages:
    1,328
    Joined:
    Oct 14, 2003
    I used spysweeper dailt when I worked for the geek squad and grew to love it *HOWEVER* you do need to tinker with it a bit and turn off some of the stuff it does. Like any real security program it comes installed in a highly paranoid state, like the startup monitor and such I normally dont run, the homepage blocker is great so you dont have to remove it via another app (been so long since i reapired pc's forgot the name, but merijin made it)

    since moving into the IT side of things I do like spysweeper corporate, but i am still testing that out.
     
  37. Nasty_Savage

    Nasty_Savage [H]eathen Taste Righteous Fire!

    Messages:
    12,812
    Joined:
    Mar 19, 2001
    We've been playing with deepfreeze. Basically a locked image of the workstation that can be unfrozen for updates or installs. Anything goes wrong, reboot will put the machine back in the state it was in when it booted.

    I've had two problems so far. The last worm, blackmail or some such thing, managed to prevent at least one computer from shutting down and it managed to infect a good percentage of machines during the update cycle we planned for overnights (wakes on lan, grabs AV update and windows updates then reboots back to a frozen state)

    the other problem I have is with some of the older win98 machines in the district are very low on specs. Its a good, tweaked image, but it does not seem to wake on lan and grab the av updates. Since we us SAV, the bloated def files over the network tend to slow the machiens to a crawl. Working on a way to make it an exception until we can phase these old clunkers out. We really inhertied a severely neglected network this year. I'm about to drop dead myself.
     
  38. Cadsworth

    Cadsworth Limp Gawd

    Messages:
    216
    Joined:
    Jun 4, 2002
    "I've had two problems so far. The last worm, blackmail or some such thing, managed to prevent at least one computer from shutting down and it managed to infect a good percentage of machines during the update cycle we planned for overnights (wakes on lan, grabs AV update and windows updates then reboots back to a frozen state)"

    1st problem-> Why not just unplug, computer should revert back on startup? Also did you try a remote shutdown?
    2nd problem-> The general idea behind most of the single state software is, that windows updates and antivirus are not important, because a reboot will negate any damage done.

    "Weve tried it in the past, and we just get continual complaints of "This won't load" I keep getting this message! "
    Users shouldn't be installing anything in an enterprise environment... That is what the help desk is for. Get remote desktop software, (or use windows built-in) it takes two minutes for a help desk person to install the software for them if it legit. Also as a plus, it helps you keep track of licensing.
    Most any program will run in limited access mode, you may have to open up a directory here, or a dll there, but they will run. Lazyness is the only excuss for not having your users run in limited user roles.


    "I have several machines here at work I would like to back up programs and ect so that if there was a failure, a quick resotre can add the programs back to a fresh windows install without having to use the disks."
    You can have your windows installation launch installs after it installs windows. Also you can include the drivers for those computers saving you much time when dealing with laptops. Winnt.sif
    Or if you are super cool, you can have group policy install all your programs for you based on the department that computer is for.



    "80% of the time, I end up backing up data, nuking the HDD, rebuilding it, fully patching windows, throwing on a Antivirus of some kind and consult with customer on how to prevent the problem in the future, the customer has always walked away happy."
    Eeck that seems like overkill to me, but if the cutomer is happy that I guess all is good in the world :)
     
  39. Coldtronius

    Coldtronius Gawd

    Messages:
    635
    Joined:
    Mar 1, 2006
    Actually, you would'n't belive how fast I can rebuild machines
     
  40. Cadsworth

    Cadsworth Limp Gawd

    Messages:
    216
    Joined:
    Jun 4, 2002
    "Actually, you would'n't belive how fast I can rebuild machines"
    I don't doubt the speed, I mean really you need to hit what 1 or 2 buttons to install windows, office and antivirus/antispyware and install all the latest updates... I just think that reinstall windows on 80% of the computers is a little unnecessary.