Spyware Prevention

  • 10 Replies
  • 4872 Views
*

Offline jpearcy

  • Bronze Member
  • 4
Spyware Prevention
« on: April 01, 2009, 03:35:48 PM »
Hello All,

I am trying to get a list of some steps we can take at work to prevent spyware. We have about 700 workstations and most of the users are straight out of college go where ever they feel like it web browsers. We use trend micro client/server antivirus/antispyware solution. Recently I was able to convince the CTO to allow me to take away all users local admin rights. We saw a big reduction in spyware cases after taking admin rights away. My question is what other Big steps can we take in avoiding infections. I know alot of people will say dont use IE. Well we have a web application that everyone uses that is only 100% supported by IE. So that isnt going to change. I used group policy to lock down IE as much as possible without hindering the web app. Any tips are greatly appreciated.

*

Offline PCBruiser

  • Malware Removal Mentors
  • Ambassador
  • Diamond Member
  • 8146
Re: Spyware Prevention
« Reply #1 on: April 01, 2009, 04:03:48 PM »
What OS do your workstations use?  What OS do you use on your servers?  What gateway hardware and workstation security software packages are you currently using?  For example, you mention TM's A/V but do you also use their software firewall?  Do you use a WLAN as well as a LAN?  Do you have multiple LAN zones?  Do you permit laptops as well as desktops?  Are visitors allowed to connect laptops to your LAN which are not issued by your company?  What kinds of malware have you seen infesting systems on your network in the past few months?
Don't Read?  Can't learn!

*

Offline jpearcy

  • Bronze Member
  • 4
Re: Spyware Prevention
« Reply #2 on: April 01, 2009, 04:24:17 PM »
All workstations are running Windows XP. Servers are running Server 2003, and Server 2008. The only security software we are running is TM antivirus/antispyware, and I forgot to mention that the firewall is turned on for workstations in TM. Its on the most strict filtering setting. I do have some exclusions in the firewall settings like allowing certain subnets to access remote desktop, and file shares on workstations. We do have wireless access but its in a seperate VLAN that only has internet access not internal LAN access. We have multiple VLANS but workstations and servers are in the same VLAN. We have desktops and laptops. Visitors can connect to wireless but like I said its a different VLAN, Different subnet with just internet access. We have a Cisco ASA as the firewall/gateway. Most common spyware as of lately is XP Antivirus, PCDefender, vundo, and virtumonde.

*

Offline PCBruiser

  • Malware Removal Mentors
  • Ambassador
  • Diamond Member
  • 8146
Re: Spyware Prevention
« Reply #3 on: April 02, 2009, 07:52:48 AM »
OK, sounds like you are pretty good so far.  I do have a couple of suggestions to get started.

1.  To supplement the security software you have now, I would suggest adding MalwareBytes' Anti-Malware, otherwise known as MBAM in the security sector.  It is exceptionally effective at both detecting, preventing and removing most common rogues and Vundo variants.  We use it here all the time to start complex clean ups (check out our HJT forum and you will see it used almost all the time), and the developers are all members here, monitor what we find, request exemplars and immediately add them to their database and/or heuristics.  Good program, try it out.  And, it is inexpensive, fast and easy to deploy and maintain.  http://www.malwarebytes.org/

2.  Given that most of the rogues and Vundo come from accessing dodgy sites (porn, crackers, etc.), there are two quick and easy methods for locking down Internet access:

a. Establish your own DNS server on your LAN(s).  I assume you already have Network Properties locked down.  It sounds like you would have done that early on.  Then, black hole all DNS requests except those you want to white list and permit access to.  This method is extremely restrictive, and you can actually do it on your Cisco gateway.  It shouldn't be too bad to establish, because I would be surprised if you would need to white list more than a hundred or so sites.  Alternatively, black listing all IPs for China, Russia and the Ukraine would help avoid the majority of those types of malware.

b. Less restrictive is to change your DNS from your ISP (which is where I assume it is currently) to something like OpenDNS.  http://www.opendns.com/  I know they do corporate, but I am not sure what the arrangements are for that.  This is less restrictive, but does prevent access to know porn, phish and crack, etc., sites.

You can mix and match those two methods.  For example for some classes of users you point their DNS to your gateway.  For others where you need to provide them more access, use something like OpenDNS for their DNS servers.  Let me know what you think, and whether these suggestions sound like possible solutions for your malware issues.
Don't Read?  Can't learn!

*

Offline jpearcy

  • Bronze Member
  • 4
Re: Spyware Prevention
« Reply #4 on: April 02, 2009, 08:04:58 AM »
Thanks for the suggestions. I will check out MBAM. We currently have 3 in house DNS servers here at corporate and a DNS server at each remote office. We currently have our forwarders pointed at OpenDNS for external lookups. As far as the blocking all DNS requests at the gateway I have had a change request in with the CTO on that for a while now and haven't got approval to make the change. Again thanks for the info. I am glad to see there is another good security discussion forum out here after castlecops went dark.

*

Offline PCBruiser

  • Malware Removal Mentors
  • Ambassador
  • Diamond Member
  • 8146
Re: Spyware Prevention
« Reply #5 on: April 02, 2009, 08:09:41 AM »
We are all here former CC staff, and we started SH last September to provide a place for our staff to stay together, which was important to all of us.
Don't Read?  Can't learn!

*

Offline jpearcy

  • Bronze Member
  • 4
Re: Spyware Prevention
« Reply #6 on: April 02, 2009, 08:11:26 AM »
Good to know. I will definitely spread the word. I know alot of people that are looking for a CC alternative.

*

Offline williamkidd

  • Bronze Member
  • 364
Re: Spyware Prevention
« Reply #7 on: April 03, 2009, 12:51:47 AM »
Hi. Just wanted to drop in with some thoughts.

It's possible that you could use Firefox along with the IE Tab extension instead of IE. IE Tab is basically IE within Firefox. Useful plug-ins for Firefox are Adblock Plus, NoScript, and Web of Trust. I use this combo on my system and the only things that I have to worry about are a handful of advertising cookies which are taken care of by SuperAntiSpyware. This Mozilla forum thread has a discussion about deploying FF.
Penny, everything is better with Bluetooth. - The Big Bang Theory

*

Offline PCBruiser

  • Malware Removal Mentors
  • Ambassador
  • Diamond Member
  • 8146
Re: Spyware Prevention
« Reply #8 on: April 03, 2009, 07:52:07 AM »
Your suggestion kind of misses a critical point - employees shouldn't be accessing business inappropriate sites in the first place.  There is no legitimate business (or moral or ethical for that matter) reason why employees should access porn, crack, etc., type sites from within the company.  So, the issue isn't simply using a browser less vulnerable to malware exploitation, although admittedly that might help a bit.  The issue is since employees continue to access inappropriate sites, despite policies to the contrary, how do you force involuntary compliance?  Answer?  By tightening down Internet access and making it considerably more difficult to access inappropriate sites from within the company's LAN regardless of what browser is being used.  In the absence of tightening down Internet access, employees could still easily avoid the use of FF by using a mobile browser on a USB stick, etc.  You leave too big a security hole implementing tighter controls in any other way from within individual systems.  It really needs to be done within the topology of the LAN to be effective.
« Last Edit: April 03, 2009, 07:56:31 AM by PCBruiser »
Don't Read?  Can't learn!

*

Offline williamkidd

  • Bronze Member
  • 364
Re: Spyware Prevention
« Reply #9 on: April 03, 2009, 10:13:40 AM »
I'm still learning PCB.  :)  However, I wasn't suggesting FF et al. as an alternative to what you've suggested but only an alternative to IE while still allowing an IE emulation. Even with black/whitelisting, employees will still use Google unless it's restricted, right? That was what the WoT suggestion was for. Legitimate sites still have things that are better kept off one's system even if they're not "bad", like tracking cookies or ad images, thus the ABP and NS suggestions. I totally agree with you that employees should be, you know, working. But do you blacklist sites like shopping sites, bank sites, and other possible legitimate information resources (like Wikipedia)?
Penny, everything is better with Bluetooth. - The Big Bang Theory

*

Offline PCBruiser

  • Malware Removal Mentors
  • Ambassador
  • Diamond Member
  • 8146
Re: Spyware Prevention
« Reply #10 on: April 03, 2009, 10:22:01 AM »
What to block or not is a company policy issue.  Some employers' policies are as restrictive as possible, including no internet access at all.  Others are extremely liberal and permit unlimited access.  Between those two extremes, are all kinds of levels of blocking.   More specifically, why should an employer permit an employee to shop or do banking while on company time?  Some employers may feel it is OK, others can legitimately say that employees are being paid to work, not shop or handle their private financial affairs on company time.

BTW, we are all learning all the time, me included.
Don't Read?  Can't learn!