Microsoft Anti Spyware

[Guest]

Hi,

I have a small 650 station Windows XP network supported by 8 server 2003
servers. Our clients are a mix of SP1 & SP2. We run SMS 2003 and Symantec
Anti Virus 8.1 Corporate. We run Exchange Server 2003 & ISA server 2000
(soon to be upgraded to 2004) and GFI Download & Mail security.

We plan to update all workstations to SP2 and are currently using SMS to
bring all our clients uptodate.

Our Business is Education (school) and our customers (students) like to
challenge our desktops (& servers!). We have suffered with lots of spyware
in certain areas of the school (ie those areas with the more relaxed
teaching staff). We can't afford Lavasoft but the MS beta product looks
good.

Has anyone any experience in deploying this across a corporate network and
are there any down sides or tips you could share. I believe there is mention
of possible adverse affects with certain MS software but details are sketchy
and I'm not sure whether this has been fixed as of yet.

I appreciate that MS may decide to start charging subscriptions for this
product once it finishes BETA and I don't have a issue with this as we
always get MS software very cheaply and I don't think I would have a problem
selling a MS anti spyware solution to my line manager.


Any comments would be appreciated

Andy.

 

[Carey Frisch [MVP]]

Welcome to Microsoft Windows AntiSpyware (Beta) Newsgroups
http://communities.microsoft.com/newsgroups/default.asp?ICP=spyware&sLCID=us

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

Be Smart! Protect Your PC!
http://www.microsoft.com/athome/security/protect/default.aspx

----------------------------------------------------------------------------

:

| Hi,
|
| I have a small 650 station Windows XP network supported by 8 server 2003
| servers. Our clients are a mix of SP1 & SP2. We run SMS 2003 and Symantec
| Anti Virus 8.1 Corporate. We run Exchange Server 2003 & ISA server 2000
| (soon to be upgraded to 2004) and GFI Download & Mail security.
|
| We plan to update all workstations to SP2 and are currently using SMS to
| bring all our clients uptodate.
|
| Our Business is Education (school) and our customers (students) like to
| challenge our desktops (& servers!). We have suffered with lots of spyware
| in certain areas of the school (ie those areas with the more relaxed
| teaching staff). We can't afford Lavasoft but the MS beta product looks
| good.
|
| Has anyone any experience in deploying this across a corporate network and
| are there any down sides or tips you could share. I believe there is mention
| of possible adverse affects with certain MS software but details are sketchy
| and I'm not sure whether this has been fixed as of yet.
|
| I appreciate that MS may decide to start charging subscriptions for this
| product once it finishes BETA and I don't have a issue with this as we
| always get MS software very cheaply and I don't think I would have a problem
| selling a MS anti spyware solution to my line manager.
|
|
| Any comments would be appreciated
|
| Andy.

 

[Wesley Vogel]

Wait until it's out of BETA. As it is now it can cause problems.

Problems times 650 equals PROBLEMS.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Leythos]

I have a small 650 station Windows XP network supported by 8 server 2003
servers. Our clients are a mix of SP1 & SP2. We run SMS 2003 and Symantec
Anti Virus 8.1 Corporate. We run Exchange Server 2003 & ISA server 2000
(soon to be upgraded to 2004) and GFI Download & Mail security.

We plan to update all workstations to SP2 and are currently using SMS to
bring all our clients uptodate.

Our Business is Education (school) and our customers (students) like to
challenge our desktops (& servers!). We have suffered with lots of spyware
in certain areas of the school (ie those areas with the more relaxed
teaching staff). We can't afford Lavasoft but the MS beta product looks
good.

Use your firewall to stop most of it - if you do content filtering on
the Dynamic Address ranges (once most of your computers are using I
would guess) for content and other items then you can block most of it.
We implemented HTTP filtering of content and also blocking of 14
categories of crap and it's really made a difference in our clients
networks and maintenance issues.

You could also look at locking down the computers using a group-policy
or other means.

The firewall is the first place to start.

 

[JW]

Hi,

I have a small 650 station Windows XP network supported by 8 server 2003
servers. Our clients are a mix of SP1 & SP2. We run SMS 2003 and Symantec
Anti Virus 8.1 Corporate. We run Exchange Server 2003 & ISA server 2000
(soon to be upgraded to 2004) and GFI Download & Mail security.

We plan to update all workstations to SP2 and are currently using SMS to
bring all our clients uptodate.

Our Business is Education (school) and our customers (students) like to
challenge our desktops (& servers!). We have suffered with lots of spyware
in certain areas of the school (ie those areas with the more relaxed
teaching staff). We can't afford Lavasoft but the MS beta product looks
good.

Has anyone any experience in deploying this across a corporate network and
are there any down sides or tips you could share. I believe there is mention
of possible adverse affects with certain MS software but details are sketchy
and I'm not sure whether this has been fixed as of yet.

I appreciate that MS may decide to start charging subscriptions for this
product once it finishes BETA and I don't have a issue with this as we
always get MS software very cheaply and I don't think I would have a problem
selling a MS anti spyware solution to my line manager.


Any comments would be appreciated

Andy.

you can block nearly all of it with the following solutions:
http://www.mvps.org/winhelp2002/hosts.htm
and IE-Spyad, Spyware Blaster, Spybot Search & Destroy, and the
Purchased version of AdAware or SpySweeper. from my experience,
these are the best solutions i have found. I use these, I never get any
spyware, and i don't even have a hardware firewall.

the Free version of AdAware does Not stop the installation of spyware.
the Free version of AdAware only cleans up the crap, after the damage is
already done. only the Purchased version of AdAware has a memory
resident component that proactively scans for spyware.
some settings will also help, e.g. Block All Third Party Cookies (in the
Privacy tab of IE).

it is important to realize that these solutions are not a 100% guarantee
against spyware. there are plenty of other ways spyware can be
installed besides an internet browser. any PC with a USB port or floppy
drive can be infected. P2P and IM software are also very efficient
avenues of infection.

 

[Guest]

you can block nearly all of it with the following solutions:
http://www.mvps.org/winhelp2002/hosts.htm
and IE-Spyad, Spyware Blaster, Spybot Search & Destroy, and the
Purchased version of AdAware or SpySweeper. from my experience,
these are the best solutions i have found. I use these, I never get any
spyware, and i don't even have a hardware firewall.

the Free version of AdAware does Not stop the installation of spyware.
the Free version of AdAware only cleans up the crap, after the damage is
already done. only the Purchased version of AdAware has a memory
resident component that proactively scans for spyware.
some settings will also help, e.g. Block All Third Party Cookies (in the
Privacy tab of IE).

it is important to realize that these solutions are not a 100% guarantee
against spyware. there are plenty of other ways spyware can be
installed besides an internet browser. any PC with a USB port or floppy
drive can be infected. P2P and IM software are also very efficient
avenues of infection.

Hey thanks for the posts guys. Really useful.

We have been running ISA server for 3 years now so I have had time to
configure a fairly tight system but still some stuff gets through and that's
what I am interested in cleaning up be in after the event or as it trys to
install. We actively block all P2P, IM and external email services and
provide staff / pupils with our own Exchange email account which we know is
virus scanned. Floppy disks we have virtually eliminated as we haven't
bought any new clients with floppy drives for the last two years.

USB pens / drives have really taken off with around 1/8 of students now
using them. I do worry about what they are bringing in; I know GFI has a USB
security tool but it will work out very expensive for us so we may not be
able to look at that until 2006. USB MP3 players are also very popular.

We have found student accounts on our servers that contain virus creation
tools and other malware so we know they are trying!

Anyhow thanks for the URL, looks like we will have a new destination set
come Monday.

Cheers Guys

Andy.

 

[JW]

Hey thanks for the posts guys. Really useful.

We have been running ISA server for 3 years now so I have had time to
configure a fairly tight system but still some stuff gets through and that's
what I am interested in cleaning up be in after the event or as it trys to
install. We actively block all P2P, IM and external email services and
provide staff / pupils with our own Exchange email account which we know is
virus scanned. Floppy disks we have virtually eliminated as we haven't
bought any new clients with floppy drives for the last two years.

USB pens / drives have really taken off with around 1/8 of students now
using them. I do worry about what they are bringing in; I know GFI has a USB
security tool but it will work out very expensive for us so we may not be
able to look at that until 2006. USB MP3 players are also very popular.

We have found student accounts on our servers that contain virus creation
tools and other malware so we know they are trying!

Anyhow thanks for the URL, looks like we will have a new destination set
come Monday.

Cheers Guys

Andy.

regarding what programs students can execute, there is a Group Policy in
XP Pro that allows an administrator to itemize what programs are allowed
to execute. so, if the program is not in the Group Policy list, then it
cannot be executed. i presume this would prevent any programs from
executing that students bring in on a USB device. of course, they could
still copy their files from USB to their account, but their executables
would not run.

if i understand this right, then the payload of the malware would be
difficult to deliver, unless you allowed write access to the \Program
Files folder or \Windows folder. since i have not tried this GPO, maybe
somebody smarter than me can confirm this. and it's over my head to
imagine how this GPO would affect the option to "allow a DLL to run as
an application".

of course, all of this discussion stands or falls on the integrity of
the operating system. but since operating system vulnerabilities are
announced nearly on a monthly basis now, all the suggestions in the
world will still leave you behind in the fight against virus/worm
developers. so, security is ultimately a matter of degree. the more
layers you have, the greater the degree of security. but there never
will be 100% security as long as sleep-deprived humans write the software.

 

[Lanwench [MVP - Exchange]]

Hey thanks for the posts guys. Really useful.

We have been running ISA server for 3 years now so I have had time to
configure a fairly tight system but still some stuff gets through and
that's what I am interested in cleaning up be in after the event or
as it trys to install. We actively block all P2P, IM and external
email services and provide staff / pupils with our own Exchange email
account which we know is virus scanned. Floppy disks we have
virtually eliminated as we haven't bought any new clients with floppy
drives for the last two years.

USB pens / drives have really taken off with around 1/8 of students
now using them. I do worry about what they are bringing in; I know
GFI has a USB security tool but it will work out very expensive for
us so we may not be able to look at that until 2006. USB MP3 players
are also very popular.

You can block this entirely if you wish.

 

[Guest]

regarding what programs students can execute, there is a Group Policy in
XP Pro that allows an administrator to itemize what programs are allowed
to execute. so, if the program is not in the Group Policy list, then it
cannot be executed. i presume this would prevent any programs from
executing that students bring in on a USB device. of course, they could
still copy their files from USB to their account, but their executables
would not run.

if i understand this right, then the payload of the malware would be
difficult to deliver, unless you allowed write access to the \Program
Files folder or \Windows folder. since i have not tried this GPO, maybe
somebody smarter than me can confirm this. and it's over my head to
imagine how this GPO would affect the option to "allow a DLL to run as
an application".

of course, all of this discussion stands or falls on the integrity of
the operating system. but since operating system vulnerabilities are
announced nearly on a monthly basis now, all the suggestions in the
world will still leave you behind in the fight against virus/worm
developers. so, security is ultimately a matter of degree. the more
layers you have, the greater the degree of security. but there never
will be 100% security as long as sleep-deprived humans write the software.

Software restriction policy?

Something that has been mentioned a few times in passing and not something I
have ever explored. Perhaps the time is ripe!

Andy.

 

[Guest]

"Lanwench [MVP - Exchange]"

You can block this entirely if you wish.

I would like to have some control over what is copied to / from the USB pen
whilst it is plugged into one of the classroom computers. Perhaps if I could
selectively block .mp3 .wmv whilst allowing .doc .xls

Is there an inbuilt feature in Windows that I should be using for this?

Andy.

 

[Lanwench [MVP - Exchange]]

"Lanwench [MVP - Exchange]"

You can block this entirely if you wish.

I would like to have some control over what is copied to / from the
USB pen whilst it is plugged into one of the classroom computers.
Perhaps if I could selectively block .mp3 .wmv whilst allowing .doc
.xls

Is there an inbuilt feature in Windows that I should be using for
this?

No - not that I know of. You can disallow users to install/use USB devices
in the first place, though.

 

[Guest]

"Lanwench [MVP - Exchange]"

"Lanwench [MVP - Exchange]"

Andy wrote:
Andy wrote:
Hi,

I have a small 650 station Windows XP network supported by 8
server 2003 servers. Our clients are a mix of SP1 & SP2. We run
SMS 2003 and Symantec Anti Virus 8.1 Corporate. We run Exchange
Server 2003 & ISA server 2000 (soon to be upgraded to 2004) and
GFI Download & Mail security.

We plan to update all workstations to SP2 and are currently using
SMS to bring all our clients uptodate.

Our Business is Education (school) and our customers (students)
like to challenge our desktops (& servers!). We have suffered with
lots of spyware in certain areas of the school (ie those areas
with the more relaxed teaching staff). We can't afford Lavasoft
but the MS beta product looks good.

Has anyone any experience in deploying this across a corporate
network and are there any down sides or tips you could share. I
believe there is mention of possible adverse affects with certain
MS software but details are sketchy and I'm not sure whether this
has been fixed as of yet.

I appreciate that MS may decide to start charging subscriptions
for this product once it finishes BETA and I don't have a issue
with this as we always get MS software very cheaply and I don't
think I would have a problem selling a MS anti spyware solution
to my line manager.


Any comments would be appreciated

Andy.


you can block nearly all of it with the following solutions:
http://www.mvps.org/winhelp2002/hosts.htm
and IE-Spyad, Spyware Blaster, Spybot Search & Destroy, and the
Purchased version of AdAware or SpySweeper. from my experience,
these are the best solutions i have found. I use these, I never
get any spyware, and i don't even have a hardware firewall.

the Free version of AdAware does Not stop the installation of
spyware. the Free version of AdAware only cleans up the crap, after
the damage is already done. only the Purchased version of AdAware
has a memory resident component that proactively scans for spyware.
some settings will also help, e.g. Block All Third Party Cookies
(in the Privacy tab of IE).

it is important to realize that these solutions are not a 100%
guarantee against spyware. there are plenty of other ways spyware
can be installed besides an internet browser. any PC with a USB
port or floppy drive can be infected. P2P and IM software are also
very efficient avenues of infection.


Hey thanks for the posts guys. Really useful.

We have been running ISA server for 3 years now so I have had time
to configure a fairly tight system but still some stuff gets
through and that's what I am interested in cleaning up be in after
the event or as it trys to install. We actively block all P2P, IM
and external email services and provide staff / pupils with our own
Exchange email account which we know is virus scanned. Floppy disks
we have virtually eliminated as we haven't bought any new clients
with floppy drives for the last two years.

USB pens / drives have really taken off with around 1/8 of students
now using them. I do worry about what they are bringing in; I know
GFI has a USB security tool but it will work out very expensive for
us so we may not be able to look at that until 2006. USB MP3 players
are also very popular.

You can block this entirely if you wish.

I would like to have some control over what is copied to / from the
USB pen whilst it is plugged into one of the classroom computers.
Perhaps if I could selectively block .mp3 .wmv whilst allowing .doc
.xls

Is there an inbuilt feature in Windows that I should be using for
this?

No - not that I know of. You can disallow users to install/use USB devices
in the first place, though.

Andy.

I would rather students use USB pens than floppy disks, seen too much work
lost on them damn things.

 

[Lanwench [MVP - Exchange]]

Andy wrote:

I would rather students use USB pens than floppy disks, seen too much
work lost on them damn things.

Why do they actually need either?

 

[Guest]

"Lanwench [MVP - Exchange]"

Andy wrote:



Why do they actually need either?

Taking work home or bringing work into school from home. We provide VPN and
Remote Desktop but only 10% of our student base make use of that.

It's really the .exe, .mp3 etc files that I would like to block from being
accessed. I need to look at Software Restriction Policies to see how we can
leverage that.

I have come accross the following free utility
http://www.beyondlogic.org/solutions/trust-no-exe/trust-no-exe.htm that I
intend to look at.

Thanks,

Andy.