Anti-Spyware for Network Admins...

[BigJimbo]

Admins,

Are there any corporate end spyware utilities that you have deployed across your networks?

Im looking for a spyware solution without any hardware, similar to CA Pest Patrol, Trend Micro, ect...

Any pros or cons if you have used any also.

Thanks!

PS: Its a small network ~60-80 users

 

[mechBgon]

Restricted-User accounts > *

If you happen to use a McAfee suite, call your rep and ask if they'd let you trial-test the McAfee AntiSpyware Enterprise, it deploys/configures via ePO. I'll still take Restricted-User accounts any day, though.

Also, if you do happen to use McAfee already, make sure to turn on the Unwanted Programs detections, the real-time heuristics, and the compressed-file scanning options.

 

[BigJimbo]

we currently deploy norton AVcorp and just purchased te new version 10. Switching to McAfee, would be a waste.

As for limiting user permissions, thats a big no no by management. Its a headache trust me....but they pay me to make their network work while running it their way.

Ive taken a look at Symantec's Client Security, but was hoping for some feedback.

Thanks!

 

[mechBgon]

How cooperative are your users, out of curiosity? Are they just poorly-educated about what they're not supposed to be doing, or are they actively uncooperative about following policy?

I haven't worked with Symantec's corporate stuff, but I assume you've gone through all the options for real-time and backscanning and maxed out the auxiliary goodies (heuristics, compressed-file scanning, adware/spyware/hack-tool detection)? Running backscans at least weekly to catch stuff that slipped in before the definitions were aware of it? Sorry that's still not exactly answering the question, but every antivirus product I've ever seen needs some stuff switched from Nerf Mode to "hardball" mode :evil:

Anyway, you might want to scope out this article: link to it. That McAfee "Secure Web Gateway" appliance thingie could be a nice discrete way of stripping off about 90% of the spyware before it can even make it down the wire to the desktops. Page 2 of the review shows it being as effective as any of the desktop-based software, and you don't incur a performance hit from another RAM/CPU-hogging security app on the desktop either.

If you get a price quote from them, I'd be curious to hear what they're asking for those...

 

[mechBgon]

Also, if it wouldn't make management freak out, you might try some Group Policy-based approaches, such as Run Only Allowed Windows Applications.

 

[BigJimbo]

Let me put it this way, its been tough to impliment local GP for problematic users.

Its gotten to the point where i just do the stuff, and tell management some BS excuse, but that doesnt always fly.

Im just waiting for the day we get hacked, thats all i can say.

Since the majority of users 90% have local admin, spyware is quite a problem, especially when they come to me with a problem i arrive at their computer with a ba-gillion "free dinner" or what ever pop ups, as well as their little "native country flags" as their cursors.

Haha, oh man I almost walked out the first month or so, but Im slowly but surely progressing them into the new age (still NT 4.0 DC's).


_________________________________________________

We have Norton 10 Corp in place which *suposidly* combats spyware, but since the new version has been running on some machines i have seen this is a load of malarky.

 

[mechBgon]

Wow, I think I would just find another place to work, where management is not irrational

One item for your arsenel is what I call the "scorched-earth" approach. Let's say Suzie in the Accounting department keeps installing Bonzi Buddy. You can remove it, but then also go to C:\Program Files and make a Bonzi Buddy folder (or whatever folder it wants to install to). Then you hit Properties > Security and remove all access to that folder, even by SYSTEM itself. Voila, Bonzi Buddy cannot be reinstalled, because the folder is already there and cannot be accessed. And you can do this remotely by just accessing \\suzie\C$ over the network. :evil:

 

[networkman]

Additionally, some anti-virus scanners allow you add your own filenames to the database of "viruses" so if you can add the Bonzai Buddy executable as a "virus", that will eliminate it from the network too.

 

[mechBgon]

Originally posted by: networkman
Additionally, some anti-virus scanners allow you add your own filenames to the database of "viruses" so if you can add the Bonzai Buddy executable as a "virus", that will eliminate it from the network too.

Plus, if the software is configured to alert the user, it might put a little scare into them But maybe I underestimate Suzie's brazenness

 

[nweaver]

some asset managment tools prevent some programs from running. It's a PITA, but I know the Altiris suite does this. It's spendy though. You really need to get a risk analysis done from OUTSIDE that says "Duh, you are running as admin on all these machines." Management seems to listen to the consultant they pay a few hundred bucks an hour to more then you, who works day in and out in the enviroment.

 

[Scarpozzi]

Just wait a short time for Novell to get their new version of Zenworks shipped. It's version 7. This is going to be an answer for many firms, even the ones that are not current Novell customers.

The reason is that Zen 7 does not require eDirectory to run and is a standalone system that offers Access Control to user systems as well as remote control, imaging, etc... It makes it possible to reduce help desk calls significantly and can replace many staff. The new system should be out either late this fall or early next year.

EDIT: BTW, you can run scripts, etc and do active sweeps for spyware using this. That was the point. It allows you to really control the desktops and keep these programs from being installed by restricting rights.