RE: [ActiveDir] OT:spyware

[Kern, Tom]

We don’t push out enough clients to merit ghost. About 5-10 a month. We just get the preinstalled os with HP and run thru the mini setup and install AV,Office,patch,etc.   Do you think ghost would be better in this environment?   Do you guys use RIS at all?   From: Dan DeStefano [mailto:[EMAIL PROTECTED] Sent: Thursday, September 30, 2004 9:40 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:spyware   For the last part, have you thought about desktop imaging using a product such as Symantec Ghost or Altiris Client Management Suite? Then you could create standard desktop images for your clients. Then you could implement folder redirection to redirect users' My Documents folders to their home folders on the network and, if you want, enable roaming profiles so that user profiles are stored on a server. Then configure the NTFS permissions on the client machines so that the only place locally that users can write to would be their user profile directory (users would obviously need to be restricted users on the local machines, not administrators). This would make the data on the client machines expendible, so if you have an outbreak and the machine gets totally borked, you could simply re-image it. There are other aspects to this as well - if the user's roaming profile or home folder is infected you would have to clean it, but that can be done from your workstation and you wouldn't have to visit every machine.   Just an idea   _________________________   Daniel DeStefano    -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Kern, Tom Sent: Wednesday, September 29, 2004 5:52 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:spyware As re: Symantec, a lot of the viruses I’ve been getting lately have been viruses that are over a year old and defs have been out for awhile so I’m puzzled as to why I keep getting infected.   The spyware/adware I think may be virus related and not web “push” related, but I’m not positive.   When you say “policy”, you are referring to locking down desktops or a written set of standards provided by IT or upper management?   Its diffcult for me to block web sites on content as I work for a large liquor distribution firm where many sales reps and managers have to go to bar/club or liquor sites that have content which result in a lot of false positives for me.   Finally, we have over 400 users and if  I really had a large outbreak(100+ pc’s), I really don’t know how I would take care of it. I’m the only admin and going to each pc  to clean individually would be insane. How would I take care of that? Its thoughts like that which keep me up at night…   Thanks       From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 29, 2004 5:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:spyware   There are examples out there of viruses elevating privileges if that's what you're asking.  The goal of virus defense is to limit the impact not necessarily prevent every single infection.  Things happen and you have to either decide to limit the amount of damage a virus or errant user or hacker, etc can do or you have to bet that you are catching everything before it happens.   Not only in your experience, but logically, you cannot prevent everything.  Virus defs lag exploits because one has to exist before the other.  Turns out the virus usually exists before the def does, right?   Your spyware problem is different.  It could be a lot of things, or it could be that this is a symptom of a larger issue.  Can't quite tell from the thread information so far.   Typical antivirus strategy has been to go after the "four sectors" file and print, smtp, desktops, and mail groupware servers.  The web adds another sector to go after and changes the paradigm from a pull to a push type of flow.  The users actively go after content vs. having it sent to them.   Spyware may is not all bad though, right? Some of it is undesirable such as tracking cookies etc.  Some of it leads to malware and really sucks to get rid of.  Ask any IT person with a non-tech teenage neighbor ;)   Best bet is to start with a policy and work back from there to a strategy and then to an execution plan. If your current strategy isn't working, it might be worth it to revisit the planning and then design the solution and deploy it to meet those requirements and direction.  Why not just jump to action?  I say this because you may be able to treat the symptoms now, but you'll just be waiting for the next one with no clear reaction plan or alternatives when it hits.    My $0.02 anyway.       From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, September 29, 2004 5:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:spyware When a user gets a virus, that virus will execute under that user’s security context. So a regular user should NOT have a virus write to those keys. True?   Or can a virus somehow get localsystem access?   Thanks   As to Symantec, I know this is not the forum for this, but I’m pretty much at my limit with their products. I get infected by viruses that came out a year or 6 months ago AND all our definitions are up to date. I could chalk it up to my fault as an admin, if someone could just explain to me how I can be infected by a virus I already have the defs for. I assume the real time auto protect service is made to start BEFORE any virus or worm does. Oh well. End of rant.       From: Dan DeStefano [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 29, 2004 5:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:spyware   Remember that Ad-Aware can only be legally used in non-commercial environments. Spybot S&D and Spyware Blaster are both free to both home and corporate users, so I usually use these instead of Ad-Aware. Regular users should not be able to write to the hklm\software\microsoft\windows\current version\run key unless you have changed the key's permissions.     Daniel DeStefano         -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Kern, Tom Sent: Wednesday, September 29, 2004 4:14 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT:spyware Lately I my users have been plagued with spyware and adware. What do you guys do to fight this? Can Spybot be pushed out as an msi via a gpo? Or ad-aware? Should I set the killbit on all the local active x controls? Should I prevent active x and _javascript_ing in IE thru a gpo?   I’m running win2k/xp clients, but mostly win2k.   Finally, when you get a worm or a virus that writes to the hklm\software\microsoft\windows\currentversion\run key, does the worm/virus run under the user’s security context? Meaning, if the user is just a local user and thus has no privileges to write to those keys, shouldn’t the worm or virus not be able to as well?   Thanks and sorry for the deluge of questions, OT as they are.