Re: [ActiveDir] OT:spyware
Client rollout you can do it yourself by using unattended setup through the network. The only thing that can be a problem is the number of different hardware types. But I believe the you can easily simply the installations and standardize them easily (which is a good thing I believe). A benefit is in case of reinstallation. In the beginning it's a bit searching your way, but once you get hold on the process, it's quiet fun to set up :-) But you will need another solution for the deployment of patches etc. which comes afterwards when the clients are already in production, but I believe that you can find one which meets your requirements etc. very easy ;-) Regards, Bart -Original Message- From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Thursday, September 30, 2004 08:55 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:spyware Yes, but have you *met* your son yet? mc _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, September 30, 2004 4:41 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:spyware I exaggerate a bit. I have a staff of 3 to do basic help desk for 400 users here in NYC and another 100 upstate. i'm the only one who supports server side stuff- AD,Exchange,AV,Firewall,Routers/switches,DR testing,blackberry,etc. and help desk if the other 3 are too busy. so its not as bad as it seems. I had enough time to get married and have a 18 month old boy :) Thanks for all your help. you guys are great. -Original Message- From: Dan DeStefano [mailto:[EMAIL PROTECTED] Sent: Thursday, September 30, 2004 3:21 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:spyware We do not use RIS. Ghost is not just for client deployments. It can be used to roll out/roll back patches, software packages, backup user files/settings, etc, etc. And for a single admin in a 400-user environment I believe this is a near necessity. Are you really the only admin in a 400-user environment? Do you have any help at all? How do you have any time for a personal life? _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F212.871.5300 www.iagr.net http://www.iagr.net/ Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kern, Tom Sent: Thursday, September 30, 2004 11:01 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:spyware We don't push out enough clients to merit ghost. About 5-10 a month. We just get the preinstalled os with HP and run thru the mini setup and install AV,Office,patch,etc. Do you think ghost would be better in this environment? Do you guys use RIS at all? _ From: Dan DeStefano [mailto:[EMAIL PROTECTED] Sent: Thursday, September 30, 2004 9:40 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:spyware For the last part, have you thought about desktop imaging using a product such as Symantec Ghost or Altiris Client Management Suite? Then you could create standard desktop images for your clients. Then you could implement folder redirection to redirect users' My Documents folders to their home folders on the network and, if you want, enable roaming profiles so that user profiles are stored on a server. Then configure the NTFS permissions on the client machines so that the only place locally that users can write to would be their user profile directory (users would obviously need to be restricted users on the local machines, not administrators). This would make the data on the client machines expendible, so if you have an outbreak and the machine gets totally borked, you could simply re-image it. There are other aspects to this as well - if the user's roaming profile or home folder is infected you would have to clean it, but that can be done from your workstation and you wouldn't have to visit every machine. Just an idea
RE: [ActiveDir] OT:spyware
It is possible to get virus infections even with current virus definitions. My experience with Nachi/Welchia and 5000+ workstations at my last employer taught me that. If you have Nachi/Welchia in your system on just one machine, it's going to continually try to find machines to infect in your subnets. If you have current virus definitions but you haven't applied the Microsoft patch, the machines will get reinfected and then the virus scanner will clean the machine reporting that the virus was cleaned. It's a vicious cycle. Basically, you have to clean, patch, and then clean to end the cycle. In our situation, we used a start-up script toinstall the Microsoft patchon the machine and then execute McAfee's STINGER program to clean the virus. As to Spyware, we are using a web filter on the ISA Server to block spyware from ever getting to the machine. The vendor has a category called "spyware" that seems to cover everything except Gator/GAIN. We added URL's for those as well. So far, it seems to be working but we are only 3 weeks into the test. We also blocked downloading of executables and some other file types at the proxy. Hope this helps .. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, TomSent: Wednesday, September 29, 2004 4:52 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT:spyware As re: Symantec, a lot of the viruses Ive been getting lately have been viruses that are over a year old and defs have been out for awhile so Im puzzled as to why I keep getting infected. The spyware/adware I think may be virus related and not web push related, but Im not positive. When you say policy, you are referring to locking down desktops or a written set of standards provided by IT or upper management? Its diffcult for me to block web sites on content as I work for a large liquor distribution firm where many sales reps and managers have to go to bar/club or liquor sites that have content which result in a lot of false positives for me. Finally, we have over 400 users and if I really had a large outbreak(100+ pcs), I really dont know how I would take care of it. Im the only admin and going to each pc to clean individually would be insane. How would I take care of that? Its thoughts like that which keep me up at night Thanks From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 29, 2004 5:29 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT:spyware There are examples out there of viruses elevating privileges if that's what you're asking. The goal of virus defense is to limit the impact not necessarily prevent every single infection. Things happen and you have to either decide to limit the amount of damage a virus or errant user or hacker, etc can do or you have to bet that you are catching everything before it happens. Not only in your experience, but logically, you cannot prevent everything. Virus defs lag exploits because one has to exist before the other. Turns out the virus usually exists before the def does, right? Your spyware problem is different. It could be a lot of things, or it could be that this is a symptom of a larger issue. Can't quite tell from the thread information so far. Typical antivirus strategy has been to go after the "four sectors" file and print, smtp, desktops, and mail groupware servers. The web adds another sector to go after and changes the paradigm from a pull to a push type of flow. The users actively go after content vs. having it sent to them. Spyware may is not all bad though, right? Some of it is undesirable such as tracking cookies etc. Some of it leads to malware and really sucks to get rid of. Ask any IT person with a non-tech teenage neighbor ;) Best bet is to start with a policy and work back from there to a strategy and then to an execution plan. If your current strategy isn't working, it might be worth it to revisit the planning and then design the solution and deploy it to meet those requirements and direction. Why not just jump to action? I say this because you may be able to treat the symptoms now, but you'll just be waiting for the next one with no clear reaction plan or alternatives when it hits. My $0.02 anyway. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, TomSent: Wednesday, September 29, 2004 5:16 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT:spyware When a user gets a virus, that virus will execute under that users security context. So a regular user should NOT have a virus write to those keys. True? Or can a virus somehow get localsystem access? Thanks As to Symantec, I know this is not the forum for this, but Im pretty much at my limit with their products. I get infected by viruses that came out a year or 6 months ago AND all our definitions are up to date. I could chalk it up to my fault as an admin, if someone could just explain to me h
RE: [ActiveDir] OT:spyware
The viruses Ive been getting are w32.spybot.worm and bat.mumu.A.worm(all Symantecs names). We are patched and up to date. The machines(anywhere from 5-10) get infected and then start going out on ports 445 and 6667. This is enough to slow our network to a crawl at times. I thought patching just prevents those holes from being exploited but does not prevent you from getting the virus and having it use your machine to attack another unpatched one. Am I wrong? thanks From: Robert N. Leali [mailto:[EMAIL PROTECTED] Sent: Thursday, September 30, 2004 9:05 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:spyware It is possible to get virus infections even with current virus definitions. My experience with Nachi/Welchia and 5000+ workstations at my last employer taught me that. If you have Nachi/Welchia in your system on just one machine, it's going to continually try to find machines to infect in your subnets. If you have current virus definitions but you haven't applied the Microsoft patch, the machines will get reinfected and then the virus scanner will clean the machine reporting that the virus was cleaned. It's a vicious cycle. Basically, you have to clean, patch, and then clean to end the cycle. In our situation, we used a start-up script toinstall the Microsoft patchon the machine and then execute McAfee's STINGER program to clean the virus. As to Spyware, we are using a web filter on the ISA Server to block spyware from ever getting to the machine. The vendor has a category called spyware that seems to cover everything except Gator/GAIN. We added URL's for those as well. So far, it seems to be working but we are only 3 weeks into the test. We also blocked downloading of executables and some other file types at the proxy. Hope this helps .. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, September 29, 2004 4:52 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:spyware As re: Symantec, a lot of the viruses Ive been getting lately have been viruses that are over a year old and defs have been out for awhile so Im puzzled as to why I keep getting infected. The spyware/adware I think may be virus related and not web push related, but Im not positive. When you say policy, you are referring to locking down desktops or a written set of standards provided by IT or upper management? Its diffcult for me to block web sites on content as I work for a large liquor distribution firm where many sales reps and managers have to go to bar/club or liquor sites that have content which result in a lot of false positives for me. Finally, we have over 400 users and if I really had a large outbreak(100+ pcs), I really dont know how I would take care of it. Im the only admin and going to each pc to clean individually would be insane. How would I take care of that? Its thoughts like that which keep me up at night Thanks From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 29, 2004 5:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:spyware There are examples out there of viruses elevating privileges if that's what you're asking. The goal of virus defense is to limit the impact not necessarily prevent every single infection. Things happen and you have to either decide to limit the amount of damage a virus or errant user or hacker, etc can do or you have to bet that you are catching everything before it happens. Not only in your experience, but logically, you cannot prevent everything. Virus defs lag exploits because one has to exist before the other. Turns out the virus usually exists before the def does, right? Your spyware problem is different. It could be a lot of things, or it could be that this is a symptom of a larger issue. Can't quite tell from the thread information so far. Typical antivirus strategy has been to go after the four sectors file and print, smtp, desktops, and mail groupware servers. The web adds another sector to go after and changes the paradigm from a pull to a push type of flow. The users actively go after content vs. having it sent to them. Spyware may is not all bad though, right? Some of it is undesirable such as tracking cookies etc. Some of it leads to malware and really sucks to get rid of. Ask any IT person with a non-tech teenage neighbor ;) Best bet is to start with a policy and work back from there to a strategy and then to an execution plan. If your current strategy isn't working, it might be worth it to revisit the planning and then design the solution and deploy it to meet those requirements and direction. Why not just jump to action? I say this because you may be able to treat the symptoms now, but you'll just be waiting for the next one with no clear reaction plan or alternatives when it hits. My $0.02 anyway. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
RE: [ActiveDir] OT:spyware
For the last part, have you thought about desktop imaging using a product such as Symantec Ghost or Altiris Client Management Suite? Then you could create standard desktop images for your clients. Then you could implement folder redirection to redirect users' My Documents folders to their home folders on the network and, if you want, enable roaming profiles so that user profiles are stored on a server. Then configure the NTFS permissions on the client machines so that the only place locally that users can write to would be their user profile directory (users would obviously need to be restricted users on the local machines, not administrators). This would make the data on the client machines expendible, so if you have an outbreak and the machine gets totally borked, you could simply re-image it. There are other aspects to this as well - if the user's roaming profile or home folder is infected you would have to clean it, but that can be done from your workstation and you wouldn't have to visit every machine. Just an idea _ Daniel DeStefano -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Kern, TomSent: Wednesday, September 29, 2004 5:52 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT:spyware As re: Symantec, a lot of the viruses Ive been getting lately have been viruses that are over a year old and defs have been out for awhile so Im puzzled as to why I keep getting infected. The spyware/adware I think may be virus related and not web push related, but Im not positive. When you say policy, you are referring to locking down desktops or a written set of standards provided by IT or upper management? Its diffcult for me to block web sites on content as I work for a large liquor distribution firm where many sales reps and managers have to go to bar/club or liquor sites that have content which result in a lot of false positives for me. Finally, we have over 400 users and if I really had a large outbreak(100+ pcs), I really dont know how I would take care of it. Im the only admin and going to each pc to clean individually would be insane. How would I take care of that? Its thoughts like that which keep me up at night Thanks From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 29, 2004 5:29 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT:spyware There are examples out there of viruses elevating privileges if that's what you're asking. The goal of virus defense is to limit the impact not necessarily prevent every single infection. Things happen and you have to either decide to limit the amount of damage a virus or errant user or hacker, etc can do or you have to bet that you are catching everything before it happens. Not only in your experience, but logically, you cannot prevent everything. Virus defs lag exploits because one has to exist before the other. Turns out the virus usually exists before the def does, right? Your spyware problem is different. It could be a lot of things, or it could be that this is a symptom of a larger issue. Can't quite tell from the thread information so far. Typical antivirus strategy has been to go after the "four sectors" file and print, smtp, desktops, and mail groupware servers. The web adds another sector to go after and changes the paradigm from a pull to a push type of flow. The users actively go after content vs. having it sent to them. Spyware may is not all bad though, right? Some of it is undesirable such as tracking cookies etc. Some of it leads to malware and really sucks to get rid of. Ask any IT person with a non-tech teenage neighbor ;) Best bet is to start with a policy and work back from there to a strategy and then to an execution plan. If your current strategy isn't working, it might be worth it to revisit the planning and then design the solution and deploy it to meet those requirements and direction. Why not just jump to action? I say this because you may be able to treat the symptoms now, but you'll just be waiting for the next one with no clear reaction plan or alternatives when it hits. My $0.02 anyway. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, TomSent: Wednesday, September 29, 2004 5:16 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT:spyware When a user gets a virus, that virus will execute under that users security context. So a regular user should NOT have a virus write to those keys. True? Or can a virus somehow get localsystem access? Thanks As to Symantec, I know this is not the forum for this, but Im pretty much at my limit with their products. I get infected by viruses that came
RE: [ActiveDir] OT:spyware
A quick look at that worm on the Symantec website shows it can use the same mechanisms to spread as Nachi/Welchia. We had problems with the patch mentioned in MS03-026 deploying correctly when the machine was infected. Try using the Stinger http://vil.mcafeesecurity.com/vil/averttools.asp#stingerto clean the box first. Then reapply the patch. I don't consider myself an expert, I can only tell you my experience on this. The patch stops the spreading and then the AV starts the clean-up. I think I read somewhere the only way to truly patch an infected machine is to wipe it clean and start over. You may have other problems installed beyond what the AV is detecting. As to going to each PC, a tool I've found to be very useful is Atelier Web Remote Commander. As long as you have an admin account to the box, you can log on to it remotely without it having a client installed. http://www.atelierweb.com/rcomm/. Scripting is a lot quicker for mass problems, but for one or two machines here and there at remote locations, it very useful. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, TomSent: Thursday, September 30, 2004 8:41 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT:spyware The viruses Ive been getting are w32.spybot.worm and bat.mumu.A.worm(all Symantecs names). We are patched and up to date. The machines(anywhere from 5-10) get infected and then start going out on ports 445 and 6667. This is enough to slow our network to a crawl at times. I thought patching just prevents those holes from being exploited but does not prevent you from getting the virus and having it use your machine to attack another unpatched one. Am I wrong? thanks From: Robert N. Leali [mailto:[EMAIL PROTECTED] Sent: Thursday, September 30, 2004 9:05 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT:spyware It is possible to get virus infections even with current virus definitions. My experience with Nachi/Welchia and 5000+ workstations at my last employer taught me that. If you have Nachi/Welchia in your system on just one machine, it's going to continually try to find machines to infect in your subnets. If you have current virus definitions but you haven't applied the Microsoft patch, the machines will get reinfected and then the virus scanner will clean the machine reporting that the virus was cleaned. It's a vicious cycle. Basically, you have to clean, patch, and then clean to end the cycle. In our situation, we used a start-up script toinstall the Microsoft patchon the machine and then execute McAfee's STINGER program to clean the virus. As to Spyware, we are using a web filter on the ISA Server to block spyware from ever getting to the machine. The vendor has a category called "spyware" that seems to cover everything except Gator/GAIN. We added URL's for those as well. So far, it seems to be working but we are only 3 weeks into the test. We also blocked downloading of executables and some other file types at the proxy. Hope this helps .. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, TomSent: Wednesday, September 29, 2004 4:52 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT:spyware As re: Symantec, a lot of the viruses Ive been getting lately have been viruses that are over a year old and defs have been out for awhile so Im puzzled as to why I keep getting infected. The spyware/adware I think may be virus related and not web push related, but Im not positive. When you say policy, you are referring to locking down desktops or a written set of standards provided by IT or upper management? Its diffcult for me to block web sites on content as I work for a large liquor distribution firm where many sales reps and managers have to go to bar/club or liquor sites that have content which result in a lot of false positives for me. Finally, we have over 400 users and if I really had a large outbreak(100+ pcs), I really dont know how I would take care of it. Im the only admin and going to each pc to clean individually would be insane. How would I take care of that? Its thoughts like that which keep me up at night Thanks From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 29, 2004 5:29 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT:spyware There are examples out there of viruses elevating privileges if that's what you're asking. The goal of virus defense is to limit the impact not necessarily prevent every single infection. Things happen and you have to either decide to limit the amount of damage a virus or errant user or hacker, etc can do or you have to bet that you are catching everything before it happens. Not only in your experience, but logically, you cannot prevent everything. Virus defs lag exploits because one has to exist before the other. Turns out the virus usually exists before the def does, right? Your spyware problem is different
RE: [ActiveDir] OT:spyware
We dont push out enough clients to merit ghost. About 5-10 a month. We just get the preinstalled os with HP and run thru the mini setup and install AV,Office,patch,etc. Do you think ghost would be better in this environment? Do you guys use RIS at all? From: Dan DeStefano [mailto:[EMAIL PROTECTED] Sent: Thursday, September 30, 2004 9:40 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:spyware For the last part, have you thought about desktop imaging using a product such as Symantec Ghost or Altiris Client Management Suite? Then you could create standard desktop images for your clients. Then you could implement folder redirection to redirect users' My Documents folders to their home folders on the network and, if you want, enable roaming profiles so that user profiles are stored on a server. Then configure the NTFS permissions on the client machines so that the only place locally that users can write to would be their user profile directory (users would obviously need to be restricted users on the local machines, not administrators). This would make the data on the client machines expendible, so if you have an outbreak and the machine gets totally borked, you could simply re-image it. There are other aspects to this as well - if the user's roaming profile or home folder is infected you would have to clean it, but that can be done from your workstation and you wouldn't have to visit every machine. Just an idea _ Daniel DeStefano -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Kern, Tom Sent: Wednesday, September 29, 2004 5:52 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:spyware As re: Symantec, a lot of the viruses Ive been getting lately have been viruses that are over a year old and defs have been out for awhile so Im puzzled as to why I keep getting infected. The spyware/adware I think may be virus related and not web push related, but Im not positive. When you say policy, you are referring to locking down desktops or a written set of standards provided by IT or upper management? Its diffcult for me to block web sites on content as I work for a large liquor distribution firm where many sales reps and managers have to go to bar/club or liquor sites that have content which result in a lot of false positives for me. Finally, we have over 400 users and if I really had a large outbreak(100+ pcs), I really dont know how I would take care of it. Im the only admin and going to each pc to clean individually would be insane. How would I take care of that? Its thoughts like that which keep me up at night Thanks From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 29, 2004 5:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:spyware There are examples out there of viruses elevating privileges if that's what you're asking. The goal of virus defense is to limit the impact not necessarily prevent every single infection. Things happen and you have to either decide to limit the amount of damage a virus or errant user or hacker, etc can do or you have to bet that you are catching everything before it happens. Not only in your experience, but logically, you cannot prevent everything. Virus defs lag exploits because one has to exist before the other. Turns out the virus usually exists before the def does, right? Your spyware problem is different. It could be a lot of things, or it could be that this is a symptom of a larger issue. Can't quite tell from the thread information so far. Typical antivirus strategy has been to go after the four sectors file and print, smtp, desktops, and mail groupware servers. The web adds another sector to go after and changes the paradigm from a pull to a push type of flow. The users actively go after content vs. having it sent to them. Spyware may is not all bad though, right? Some of it is undesirable such as tracking cookies etc. Some of it leads to malware and really sucks to get rid of. Ask any IT person with a non-tech teenage neighbor ;) Best bet is to start with a policy and work back from there to a strategy and then to an execution plan. If your current strategy isn't working, it might be worth it to revisit the planning and then design the solution and deploy it to meet those requirements and direction. Why not just jump to action? I say this because you may be able to treat the symptoms now, but you'll just be waiting for the next one with no clear reaction plan or alternatives when it hits. My $0.02 anyway. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, September 29, 2004 5:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:spyware When a user gets a virus, that virus will execute under that users security context. So a regular user should NOT have a virus write to those keys. True? Or can a virus
RE: [ActiveDir] OT:spyware
We do not use RIS. Ghost is not just for client deployments. It can be used to roll out/roll back patches, software packages, backup user files/settings, etc, etc. And for a single admin ina 400-user environment I believe this is a near necessity. Are you really the only admin in a 400-user environment? Do you have any help at all? How do you have any time for a personal life? _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F212.871.5300 www.iagr.net Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Kern, TomSent: Thursday, September 30, 2004 11:01 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT:spyware We dont push out enough clients to merit ghost. About 5-10 a month. We just get the preinstalled os with HP and run thru the mini setup and install AV,Office,patch,etc. Do you think ghost would be better in this environment? Do you guys use RIS at all? From: Dan DeStefano [mailto:[EMAIL PROTECTED] Sent: Thursday, September 30, 2004 9:40 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT:spyware For the last part, have you thought about desktop imaging using a product such as Symantec Ghost or Altiris Client Management Suite? Then you could create standard desktop images for your clients. Then you could implement folder redirection to redirect users' My Documents folders to their home folders on the network and, if you want, enable roaming profiles so that user profiles are stored on a server. Then configure the NTFS permissions on the client machines so that the only place locally that users can write to would be their user profile directory (users would obviously need to be restricted users on the local machines, not administrators). This would make the data on the client machines expendible, so if you have an outbreak and the machine gets totally borked, you could simply re-image it. There are other aspects to this as well - if the user's roaming profile or home folder is infected you would have to clean it, but that can be done from your workstation and you wouldn't have to visit every machine. Just an idea _ Daniel DeStefano -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Kern, TomSent: Wednesday, September 29, 2004 5:52 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT:spyware As re: Symantec, a lot of the viruses Ive been getting lately have been viruses that are over a year old and defs have been out for awhile so Im puzzled as to why I keep getting infected. The spyware/adware I think may be virus related and not web push related, but Im not positive. When you say policy, you are referring to locking down desktops or a written set of standards provided by IT or upper management? Its diffcult for me to block web sites on content as I work for a large liquor distribution firm where many sales reps and managers have to go to bar/club or liquor sites that have content which result in a lot of false positives for me. Finally, we have over 400 users and if I really had a large outbreak(100+ pcs), I really dont know how I would take care of it. Im the only admin and going to each pc to clean individually would be insane. How would I take care of that? Its thoughts like that which keep me up at night Thanks From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 29, 2004 5:29 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT:spyware There are examples out there of viruses elevating privileges if that's what you're asking. The goal of virus defense is to limit the impact not necessarily prevent every single infection. Things happen and you have to either decide to limit the amount of damage a virus or errant user or hacker, etc can do or you have to bet that you are catching everything before it happens. Not only in your experience, but logically, you cannot prevent everything. Virus defs lag exploits because one has
Re: [ActiveDir] OT:spyware
Use an enterprise AntiSpyware product like Pest Patrol (or an alternative, now that they've been infected by the dreaded CA virus) -ASB -- Cheap, Fast, Secure -- Pick Any TWO. http://www.ultratech-llc.com/KB/ - Original Message - From: Kern, Tom [EMAIL PROTECTED] Date: Wed, 29 Sep 2004 16:14:02 -0400 Subject: [ActiveDir] OT:spyware To: [EMAIL PROTECTED] Lately I my users have been plagued with spyware and adware. What do you guys do to fight this? Can Spybot be pushed out as an msi via a gpo? Or ad-aware? Should I set the killbit on all the local active x controls? Should I prevent active x and javascripting in IE thru a gpo? I'm running win2k/xp clients, but mostly win2k. Finally, when you get a worm or a virus that writes to the hklm\software\microsoft\windows\currentversion\run key, does the worm/virus run under the user's security context? Meaning, if the user is just a local user and thus has no privileges to write to those keys, shouldn't the worm or virus not be able to as well? Thanks and sorry for the deluge of questions, OT as they are. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT:spyware
Yes, but have you *met* your son yet? mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, September 30, 2004 4:41 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:spyware I exaggerate a bit. I have a staff of 3 to do basic help desk for 400 users here in NYC and another 100 upstate. i'm the only one who supports server side stuff- AD,Exchange,AV,Firewall,Routers/switches,DR testing,blackberry,etc. and help desk if the other 3 are too busy. so its not as bad as it seems. I had enough time to get married and have a 18 month old boy :) Thanks for all your help. you guys are great. -Original Message- From: Dan DeStefano [mailto:[EMAIL PROTECTED] Sent: Thursday, September 30, 2004 3:21 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:spyware We do not use RIS. Ghost is not just for client deployments. It can be used to roll out/roll back patches, software packages, backup user files/settings, etc, etc. And for a single admin ina 400-user environment I believe this is a near necessity. Are you really the only admin in a 400-user environment? Do you have any help at all? How do you have any time for a personal life? _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F212.871.5300 www.iagr.net Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Kern, Tom Sent: Thursday, September 30, 2004 11:01 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:spyware We dont push out enough clients to merit ghost. About 5-10 a month. We just get the preinstalled os with HP and run thru the mini setup and install AV,Office,patch,etc. Do you think ghost would be better in this environment? Do you guys use RIS at all? From: Dan DeStefano [mailto:[EMAIL PROTECTED] Sent: Thursday, September 30, 2004 9:40 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:spyware For the last part, have you thought about desktop imaging using a product such as Symantec Ghost or Altiris Client Management Suite? Then you could create standard desktop images for your clients. Then you could implement folder redirection to redirect users' My Documents folders to their home folders on the network and, if you want, enable roaming profiles so that user profiles are stored on a server. Then configure the NTFS permissions on the client machines so that the only place locally that users can write to would be their user profile directory (users would obviously need to be restricted users on the local machines, not administrators). This would make the data on the client machines expendible, so if you have an outbreak and the machine gets totally borked, you could simply re-image it. There are other aspects to this as well - if the user's roaming profile or home folder is infected you would have to clean it, but that can be done from your workstation and you wouldn't have to visit every machine. Just an idea _ Daniel DeStefano -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Kern, Tom Sent: Wednesday, September 29, 2004 5:52 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:spyware As re: Symantec, a lot of the viruses Ive been getting lately have been viruses that are over a year old and defs have been out for awhile so Im puzzled as to why I keep getting infected. The spyware/adware I think may be virus related and not web push related, but Im not positive. When you say policy, you are referring to locking down desktops or a written set of standards provided by IT or upper management? Its diffcult for me to block web sites on content as I work for a large liquor distribution firm where many sales reps and managers have to go to bar/club or liquor sites that have content which result in a lot of false positives for me. Finally, we have over 400 users and if I really had a large outbreak(100+ pcs), I really dont know how I would take care of it. Im the only admin and going to each pc to clean individually would be insane. How would I take care of that? Its thoughts like that which keep me up at night Thanks From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 29, 2004 5:29 PM
RE: [ActiveDir] OT:spyware
What are you using for anti-virus protection? Some of the newer AV products are coming with this built in vs. having to push out additional software. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, TomSent: Wednesday, September 29, 2004 4:14 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OT:spyware Lately I my users have been plagued with spyware and adware. What do you guys do to fight this? Can Spybot be pushed out as an msi via a gpo? Or ad-aware? Should I set the killbit on all the local active x controls? Should I prevent active x and _javascript_ing in IE thru a gpo? Im running win2k/xp clients, but mostly win2k. Finally, when you get a worm or a virus that writes to the hklm\software\microsoft\windows\currentversion\run key, does the worm/virus run under the users security context? Meaning, if the user is just a local user and thus has no privileges to write to those keys, shouldnt the worm or virus not be able to as well? Thanks and sorry for the deluge of questions, OT as they are.
RE: [ActiveDir] OT:spyware
Symantec Anti- Virus Enterprise 9.0. It has some spyware protection but not that great as my users are still getting a ton. From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 29, 2004 4:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:spyware What are you using for anti-virus protection? Some of the newer AV products are coming with this built in vs. having to push out additional software. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, September 29, 2004 4:14 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT:spyware Lately I my users have been plagued with spyware and adware. What do you guys do to fight this? Can Spybot be pushed out as an msi via a gpo? Or ad-aware? Should I set the killbit on all the local active x controls? Should I prevent active x and _javascript_ing in IE thru a gpo? Im running win2k/xp clients, but mostly win2k. Finally, when you get a worm or a virus that writes to the hklm\software\microsoft\windows\currentversion\run key, does the worm/virus run under the users security context? Meaning, if the user is just a local user and thus has no privileges to write to those keys, shouldnt the worm or virus not be able to as well? Thanks and sorry for the deluge of questions, OT as they are.
RE: [ActiveDir] OT:spyware
Heres what we do When we detect a user has become infested with spyware we 1st Use a combination of Spybot SD, Lavasoft AdAware, and Hijaack this until we are sure the machine is clean Then, depending on the kind of user, we either threaten to or just take away their local admin privileges (this seems to stop at least some stuff from being installed) For particularly troublesome users, I install TeaTimer, remove shortcuts to IE, and force them to use FireFox. Thats just us! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kern, Tom Sent: Wednesday, September 29, 2004 1:14 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT:spyware Lately I my users have been plagued with spyware and adware. What do you guys do to fight this? Can Spybot be pushed out as an msi via a gpo? Or ad-aware? Should I set the killbit on all the local active x controls? Should I prevent active x and _javascript_ing in IE thru a gpo? Im running win2k/xp clients, but mostly win2k. Finally, when you get a worm or a virus that writes to the hklm\software\microsoft\windows\currentversion\run key, does the worm/virus run under the users security context? Meaning, if the user is just a local user and thus has no privileges to write to those keys, shouldnt the worm or virus not be able to as well? Thanks and sorry for the deluge of questions, OT as they are.
RE: [ActiveDir] OT:spyware
I use McAfee antispyware. It works ok. I got Cool Web Search, it doesn t detect it. Anyone experience CWS and remove them successfully? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, September 29, 2004 3:33 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:spyware Symantec Anti- Virus Enterprise 9.0. It has some spyware protection but not that great as my users are still getting a ton. From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 29, 2004 4:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:spyware What are you using for anti-virus protection? Some of the newer AV products are coming with this built in vs. having to push out additional software. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, September 29, 2004 4:14 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT:spyware Lately I my users have been plagued with spyware and adware. What do you guys do to fight this? Can Spybot be pushed out as an msi via a gpo? Or ad-aware? Should I set the killbit on all the local active x controls? Should I prevent active x and _javascript_ing in IE thru a gpo? Im running win2k/xp clients, but mostly win2k. Finally, when you get a worm or a virus that writes to the hklm\software\microsoft\windows\currentversion\run key, does the worm/virus run under the users security context? Meaning, if the user is just a local user and thus has no privileges to write to those keys, shouldnt the worm or virus not be able to as well? Thanks and sorry for the deluge of questions, OT as they are.
RE: [ActiveDir] OT:spyware
Yeadownload CWShredder from here: http://www.spywareinfo.com/~merijn/downloads.html The site runs a little slow and you'll need the VB6 runtimes to run it, but it will take care of it. From: Dipowarga Wirawan [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 29, 2004 1:40 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT:spyware I use McAfee antispyware. It works ok. I got Cool Web Search, it doesn t detect it. Anyone experience CWS and remove them successfully? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, TomSent: Wednesday, September 29, 2004 3:33 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT:spyware Symantec Anti- Virus Enterprise 9.0. It has some spyware protection but not that great as my users are still getting a ton. From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 29, 2004 4:26 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT:spyware What are you using for anti-virus protection? Some of the newer AV products are coming with this built in vs. having to push out additional software. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, TomSent: Wednesday, September 29, 2004 4:14 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OT:spyware Lately I my users have been plagued with spyware and adware. What do you guys do to fight this? Can Spybot be pushed out as an msi via a gpo? Or ad-aware? Should I set the killbit on all the local active x controls? Should I prevent active x and _javascript_ing in IE thru a gpo? Im running win2k/xp clients, but mostly win2k. Finally, when you get a worm or a virus that writes to the hklm\software\microsoft\windows\currentversion\run key, does the worm/virus run under the users security context? Meaning, if the user is just a local user and thus has no privileges to write to those keys, shouldnt the worm or virus not be able to as well? Thanks and sorry for the deluge of questions, OT as they are.
RE: [ActiveDir] OT:spyware
Remember that Ad-Aware can only be legally used in non-commercial environments. Spybot SD and Spyware Blaster are both free to both home and corporate users, so I usually use these instead of Ad-Aware. Regular users should not be able to write to the hklm\software\microsoft\windows\current version\run key unless you have changed the key's permissions. Daniel DeStefano -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Kern, TomSent: Wednesday, September 29, 2004 4:14 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OT:spyware Lately I my users have been plagued with spyware and adware. What do you guys do to fight this? Can Spybot be pushed out as an msi via a gpo? Or ad-aware? Should I set the killbit on all the local active x controls? Should I prevent active x and _javascript_ing in IE thru a gpo? Im running win2k/xp clients, but mostly win2k. Finally, when you get a worm or a virus that writes to the hklm\software\microsoft\windows\currentversion\run key, does the worm/virus run under the users security context? Meaning, if the user is just a local user and thus has no privileges to write to those keys, shouldnt the worm or virus not be able to as well? Thanks and sorry for the deluge of questions, OT as they are.
RE: [ActiveDir] OT:spyware
When a user gets a virus, that virus will execute under that users security context. So a regular user should NOT have a virus write to those keys. True? Or can a virus somehow get localsystem access? Thanks As to Symantec, I know this is not the forum for this, but Im pretty much at my limit with their products. I get infected by viruses that came out a year or 6 months ago AND all our definitions are up to date. I could chalk it up to my fault as an admin, if someone could just explain to me how I can be infected by a virus I already have the defs for. I assume the real time auto protect service is made to start BEFORE any virus or worm does. Oh well. End of rant. From: Dan DeStefano [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 29, 2004 5:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:spyware Remember that Ad-Aware can only be legally used in non-commercial environments. Spybot SD and Spyware Blaster are both free to both home and corporate users, so I usually use these instead of Ad-Aware. Regular users should not be able to write to the hklm\software\microsoft\windows\current version\run key unless you have changed the key's permissions. Daniel DeStefano -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Kern, Tom Sent: Wednesday, September 29, 2004 4:14 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT:spyware Lately I my users have been plagued with spyware and adware. What do you guys do to fight this? Can Spybot be pushed out as an msi via a gpo? Or ad-aware? Should I set the killbit on all the local active x controls? Should I prevent active x and _javascript_ing in IE thru a gpo? Im running win2k/xp clients, but mostly win2k. Finally, when you get a worm or a virus that writes to the hklm\software\microsoft\windows\currentversion\run key, does the worm/virus run under the users security context? Meaning, if the user is just a local user and thus has no privileges to write to those keys, shouldnt the worm or virus not be able to as well? Thanks and sorry for the deluge of questions, OT as they are.
RE: [ActiveDir] OT:spyware
There are examples out there of viruses elevating privileges if that's what you're asking. The goal of virus defense is to limit the impact not necessarily prevent every single infection. Things happen and you have to either decide to limit the amount of damage a virus or errant user or hacker, etc can do or you have to bet that you are catching everything before it happens. Not only in your experience, but logically, you cannot prevent everything. Virus defs lag exploits because one has to exist before the other. Turns out the virus usually exists before the def does, right? Your spyware problem is different. It could be a lot of things, or it could be that this is a symptom of a larger issue. Can't quite tell from the thread information so far. Typical antivirus strategy has been to go after the "four sectors" file and print, smtp, desktops, and mail groupware servers. The web adds another sector to go after and changes the paradigm from a pull to a push type of flow. The users actively go after content vs. having it sent to them. Spyware may is not all bad though, right? Some of it is undesirable such as tracking cookies etc. Some of it leads to malware and really sucks to get rid of. Ask any IT person with a non-tech teenage neighbor ;) Best bet is to start with a policy and work back from there to a strategy and then to an execution plan. If your current strategy isn't working, it might be worth it to revisit the planning and then design the solution and deploy it to meet those requirements and direction. Why not just jump to action? I say this because you may be able to treat the symptoms now, but you'll just be waiting for the next one with no clear reaction plan or alternatives when it hits. My $0.02 anyway. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, TomSent: Wednesday, September 29, 2004 5:16 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT:spyware When a user gets a virus, that virus will execute under that users security context. So a regular user should NOT have a virus write to those keys. True? Or can a virus somehow get localsystem access? Thanks As to Symantec, I know this is not the forum for this, but Im pretty much at my limit with their products. I get infected by viruses that came out a year or 6 months ago AND all our definitions are up to date. I could chalk it up to my fault as an admin, if someone could just explain to me how I can be infected by a virus I already have the defs for. I assume the real time auto protect service is made to start BEFORE any virus or worm does. Oh well. End of rant. From: Dan DeStefano [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 29, 2004 5:00 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT:spyware Remember that Ad-Aware can only be legally used in non-commercial environments. Spybot SD and Spyware Blaster are both free to both home and corporate users, so I usually use these instead of Ad-Aware. Regular users should not be able to write to the hklm\software\microsoft\windows\current version\run key unless you have changed the key's permissions. Daniel DeStefano -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Kern, TomSent: Wednesday, September 29, 2004 4:14 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OT:spyware Lately I my users have been plagued with spyware and adware. What do you guys do to fight this? Can Spybot be pushed out as an msi via a gpo? Or ad-aware? Should I set the killbit on all the local active x controls? Should I prevent active x and _javascript_ing in IE thru a gpo? Im running win2k/xp clients, but mostly win2k. Finally, when you get a worm or a virus that writes to the hklm\software\microsoft\windows\currentversion\run key, does the worm/virus run under the users security context? Meaning, if the user is just a local user and thus has no privileges to write to those keys, shouldnt the worm or virus not be able to as well? Thanks and sorry for the deluge of questions, OT as they are.
RE: [ActiveDir] OT:spyware
As re: Symantec, a lot of the viruses Ive been getting lately have been viruses that are over a year old and defs have been out for awhile so Im puzzled as to why I keep getting infected. The spyware/adware I think may be virus related and not web push related, but Im not positive. When you say policy, you are referring to locking down desktops or a written set of standards provided by IT or upper management? Its diffcult for me to block web sites on content as I work for a large liquor distribution firm where many sales reps and managers have to go to bar/club or liquor sites that have content which result in a lot of false positives for me. Finally, we have over 400 users and if I really had a large outbreak(100+ pcs), I really dont know how I would take care of it. Im the only admin and going to each pc to clean individually would be insane. How would I take care of that? Its thoughts like that which keep me up at night Thanks From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 29, 2004 5:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:spyware There are examples out there of viruses elevating privileges if that's what you're asking. The goal of virus defense is to limit the impact not necessarily prevent every single infection. Things happen and you have to either decide to limit the amount of damage a virus or errant user or hacker, etc can do or you have to bet that you are catching everything before it happens. Not only in your experience, but logically, you cannot prevent everything. Virus defs lag exploits because one has to exist before the other. Turns out the virus usually exists before the def does, right? Your spyware problem is different. It could be a lot of things, or it could be that this is a symptom of a larger issue. Can't quite tell from the thread information so far. Typical antivirus strategy has been to go after the four sectors file and print, smtp, desktops, and mail groupware servers. The web adds another sector to go after and changes the paradigm from a pull to a push type of flow. The users actively go after content vs. having it sent to them. Spyware may is not all bad though, right? Some of it is undesirable such as tracking cookies etc. Some of it leads to malware and really sucks to get rid of. Ask any IT person with a non-tech teenage neighbor ;) Best bet is to start with a policy and work back from there to a strategy and then to an execution plan. If your current strategy isn't working, it might be worth it to revisit the planning and then design the solution and deploy it to meet those requirements and direction. Why not just jump to action? I say this because you may be able to treat the symptoms now, but you'll just be waiting for the next one with no clear reaction plan or alternatives when it hits. My $0.02 anyway. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, September 29, 2004 5:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:spyware When a user gets a virus, that virus will execute under that users security context. So a regular user should NOT have a virus write to those keys. True? Or can a virus somehow get localsystem access? Thanks As to Symantec, I know this is not the forum for this, but Im pretty much at my limit with their products. I get infected by viruses that came out a year or 6 months ago AND all our definitions are up to date. I could chalk it up to my fault as an admin, if someone could just explain to me how I can be infected by a virus I already have the defs for. I assume the real time auto protect service is made to start BEFORE any virus or worm does. Oh well. End of rant. From: Dan DeStefano [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 29, 2004 5:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:spyware Remember that Ad-Aware can only be legally used in non-commercial environments. Spybot SD and Spyware Blaster are both free to both home and corporate users, so I usually use these instead of Ad-Aware. Regular users should not be able to write to the hklm\software\microsoft\windows\current version\run key unless you have changed the key's permissions. Daniel DeStefano -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Kern, Tom Sent: Wednesday, September 29, 2004 4:14 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT:spyware Lately I my users have been plagued with spyware and adware. What do you guys do to fight this? Can Spybot be pushed out as an msi via a gpo? Or ad-aware? Should I set the killbit on all the local active x controls? Should I prevent active x and _javascript_ing in IE thru a gpo? Im running win2k/xp clients, but mostly win2k. Finally, when you get a worm or a virus that writes to the hklm\software\microsoft\windows\currentversion\run key
