The company is mid-sized, and it's like someone dropped a bomb in there. There are a ton of end-users requesting tickets to fix spyware related problems, actually it's probably 1/4 of all tickets. Users have been complaining about slower speeds. They are running a PIX firewall, but it's like they just threw it in there expecting it to take care of everything itself. The users have complete free reign to go to any sites they wish. What do you recommend to fix this spyware problem?
Spybot and Adaware are the 2 main spyware removal tools. After that you might want to think about a company policy for downloading and installing stuff. Taking away admin rights would be a good start.
We have a Norton ghost image, so they're all the same. This is what we try:
Hijack this installed on all machines (so we don't have to d/l every time)
Spybot installed on every machine (same)
For previous victims, IE removed from desktop and replaced with Firefox. We say "use Firefox or else" IE is still there in case somebody needs for business reasons. We are debating having this standard on the new image.
(separate but related)
All machines set to automatic update AND install automatically.
All machines with virus protection.
We give everybody admin because needs are so different. We don't really have the time to stop by each person and install .NET for them. We only have ~100 users so we audit once a year. We have all machines in a database, so we can track. All desktop purchases are done through us.
We are currently investigating spywareguard and spywareblaster. We've read some good things about these programs.
Microsoft's Spyware thing might be worth looking into
I write the desktop security policies in a school district of approx. 2,000 Windows machines. Here's your solution:
Turn off the ability to download ActiveX controls. ActiveX will still function, but new controls cannot be installed. This setting change alone is your best defense against spyware. (Tools-Internet Options-Security-Custom Level-Select "disable" on "Download signed ActiveX controls")
If possible, turn off the ability to download. The setting is in the same place as the ActiveX settings.
Desktop security should be setup in a way that people can't change what you've adjusted.
Make sure your desktops' antivirus software stays up to date.
Keep your systems up to date with critical security patches.
Have images of your computers handy. We use Ghost Corporate 8 or ZEN. If a machine has a problem and it takes more than 5 minutes to troubleshoot, reimage it. (It only takes us between 15-30 minutes to have a machine running 100% again) In your current situation, my advice is to reimage, reimage, reimage. You'll never be able to remove 100% of the spyware on your machines. Multicast an image to the infected machines, and all will be well.
Keep in mind that we have thousands of demon children intentionally trying to cause havoc on our systems, along with computer illiterate teachers. We don't run a single third-party spyware app. Everything we do is mentioned above, and we haven't had but a rare few spyware complaints in months.
Good tips from rfquinn.
what rfquinn said... and don't give out admin rights
We currently run Ad-aware professional here, and updates are downloaded nightly and pushed out to every client from the server.
Since you've got an image for the machines, would it be possible to get good ol' Ghost Server up and running and re-image every machine in the entire company? And then when everyone comes complaining about lost files just go "Stop playing Casino games and we'll stop imaging your machines!"
I didn't see it anywhere yet so I thought I'd add... use pop up blockers. I use popup manager and it does the trick. So much of spyware is installed using popups and iframes. you could also disable iframes where rfquinn was talking about disabling active x I think.
Good tip from Nocturnal too. D/L'ed it today, and it did find stuff that others didn't find. It won't be free forever though, only until June or July.
I've been using Microsofts Beta SpyRemoval software for 2 weeks. It does not remove 100% of the infections, but so far it is on par with the likes of Webroots SpySweeper.