identifying spyware

P

PS

Hello-

We have thousands of windows computers in a domain and are looking at
purchasing spyware detection software. I kinda think that it would be better
to save the money and create a VB script that would check for the existance
of certain spyware, for example it would check each systems registry for the
existance of

HKLM\software\gator

and it would report back which systems in the domain have this registry key.

I'm interested in hearing others opinion on this. We can't use freeware so
our choices are either purchasing thousands of licenses for spyware
detection software, or creating scripts that can do the same.

Thanks,

PS
"This post is MY opinion only."
 
R

Roland Hall

This sounds more like a management decision rather than a technical one.

What resources will you have to apply to this project?
What projects will suffer during this time?
What is your projected ROI? With a fixed cost on commercial software, this
can be calculated easier than projected development cost, time and cost of
other projects that will be delayed, possibly affecting other departments
who may have to adjust their schedules or suffer due to delays waiting for
your team to be available.
What will it cost just to do the analysis and project how long will that
take?
Who is involved in the decision making process and what are you chances of
successfully convincing them that it is monetarily beneficial and time
saving vs off the shelf installation, with support and possibly an annual
subscription?

When you actually calculate it out, will you actually save money by
reinventing the wheel?
Do you have the technical knowledge and a full list of known spyware now?
Detecting and removing spyware are two entirely different tasks. Detection
alone is not much use.

If your idea of scripting control of the registry to remove entries based
upon their application name, I think you need more research.

"We can't use freeware" I find this statement to be ironic since you also
stated this, "I kinda think that it would be better
to save the money and create a VB script..." since commercial software only
guarantees that the software will do what it says, which is not always
completely true. It does not accept liability for harm to your system or
other software you are running. Most say, "runs on blah blah blah", not
"runs on blah blah blah with all your other software."

I don't work on my Corvette and my mechanic doesn't work on his computer.
We agreed it's better to have a qualfied, experienced person doing the work.

Just my opinion...

Hello-

We have thousands of windows computers in a domain and are looking at
purchasing spyware detection software. I kinda think that it would be better
to save the money and create a VB script that would check for the existance
of certain spyware, for example it would check each systems registry for the
existance of

HKLM\software\gator

and it would report back which systems in the domain have this registry key.

I'm interested in hearing others opinion on this. We can't use freeware so
our choices are either purchasing thousands of licenses for spyware
detection software, or creating scripts that can do the same.

Thanks,

PS
"This post is MY opinion only."
 
R

Roger Abell

PestPatrol is available in volume pricing and has a
centrally manage solution. I would imagine that there
are a number of other solutions available.
Remember, you are not paying for the software so
much as for their research and monitoring of the
spyware environment so that detection is current.
 
M

mayayana

The only reason to use anti-spyware products is if people
are downloading and installing impulse-item software on
a regular basis. If that's allowed on your computers then
a script won't help much because you need to keep up with
the details for uninstalling each junk program as it's released.

If you have some control over what gets installed, I think it
would be more useful to monitor running processes. Spyware
can't function unless it's running, so it usually sets itself to run
at startup. You'd still have to maintain some kind of listings
of file names and info., though, so that you know which programs
to disable.
The advantage of that approach would be that you're monitoring
the general, running environment, rather than just looking for famous
bandits. You could use the occasion to remove other wasteful junk
like zip drive software, printer software that runs only to look for
new drivers, frivolous check-for-updates programs, etc. Personally,
I think that might be the next big Desktop problem: having
40-odd installed programs written with the check-for-daily-updates/
the-product-is-never-finished paradigm, so that you've got 40-odd
programs running in the background, looking for patches; and your
machine becomes a very unstable, beta testing carnival.

That kind of software also blurs the line in terms of what's spyware.
These days Windows XP, Norton products and most music
players are all spyware, for instance, insofar as that they make online
contact secretly, without permission, and don't tell you what they're
communicating. It seems that you'd have to deal with those on a case-
by-case basis. Things like WinXP and Norton utilities, for instance,
obviously have to be controlled rather than removed, which is not so
simple as just checking the Registry for an executable listing.
 
P

PS

this being a VBS group, I was hoping to get some votes that scripting would
be best...
 
C

Chris Barber

PS.

VBS is good for some things (a lot really) but something as complex as
detecting spyware is best achieved with a 3rd party supported solution.
Adaware has the benefit of being both excellent and free. There are others
such as PestPatrol and of course the licensed versions of Adaware. Either
way you're going to have to put together a 'Management' scenario to
distribute and keep the software up to date. Actually running it is another
kettle of fish altogether. Most of the solutions depend on user input and I
can't vouch for PestPatrol since I've never tried it myself but I believe
that it is a centrally managed solution (much better for your needs I would
presume).
As already stated, the issue here is probably more to do with the access and
rights that individual users have on their workstations. Locking out the
right to install 'untested' software usually does the trick and certainly an
internet proxy can help. However, depending on the needs of the users you
may find that this is unmanageable nor causes too much hassle with users
that are used to being able to install just about anything they want on
their machines. Often, office based workstations are also woefully bereft of
visits to Windows Updates and as such are generally as holy as the Swiss
cheese.

My suggestions:

Step 1: Make sure your OS are up to date (eg. W2K or WinXP as opposed to W98
and below).
Step 2: Run Windows Update on *all* machines (especially service packs and
security updates).
Step 3: Make sure the IE and Office versions on all machines are up to date.
Step 4: Make sure a good current AV solution is in place (and especially
that it is locked down so users can't disable it). Ideally it should be
centrally managed and auto-update at least once a day.
Step 5: Install and operate an internet proxy and / or a firewall.
Step 6: Put a group policy in place to remove local administrative rights to
all machines unless specifically required (eg. software developers) and
consider placing such machines in a group of their own so that
cross-contamination doesn't occur. more to the point, software developers
often require nightly disk images for when they toast their machines and
need to re-image the HD. I'm on re-image 15 so far in just 2 years.
Step 7: Now you can thing about extra stuff like centrally managed
anti-spyware etc.

Sound like a lot but this is the life of a sysadmin. This is why they are
often too busy to talk to you when you fry a machine or lose a HD and also
why anything over 10 workstations in the office *requires* a full-time IT
sysadmin.

NB: VBS is very good at handling stuff like logon scripts that take care of
managing settings, attaching shared drives, making sure software is
installed etc. A relatively good solution is to get hold of Microsoft SMS
(Systems Management Server) and let it auto-install the client components -
this then gives you the capability to centrally manage things like software
releases, updates etc.

Oh, I also nearly forgot to add Office Updates to the list of things to
consider. It's nice if IE is up to date but what about Outlook? If that's
got holes in it then the first virus email in to the system will cause
havoc. And leading on from that you also need to consider the incoming and
outgoing emails - make sure you have a server based AV solution that scans
the email.

Hope this helps (or at least gets you thinking).

Chris.

this being a VBS group, I was hoping to get some votes that scripting would
be best...
 
R

Roger Abell

but I read and responed in the security_admin newsgroup.

f/u being set to scripting.vbscript
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top