Helping users combat spyware

Your campaign to stomp out spyware in your organization will be more successful if you enlist the aid of your users. Teaching them what to look for and reducing their exposure to spyware risks is half the battle.

You've done it all. The servers are patched with the latest code, the workstations are protected with the top-of-the-line spyware detection software, and you've configured the firewall to block all unnecessary outbound ports. You sit back, take a breath, and congratulate everyone on a job well done.

But while you're enjoying the moment, a new employee in another part of the building is installing WeatherBug so she can get the daily forecast before driving home. By the time your party's over, she'll have convinced two of her coworkers to install the application as well. Your safe and secure network was just breached at the weakest point: the user.

In this article, we'll discuss steps you can take to enlist your users' help in fighting the spyware battle. We've also included a spyware prevention checklist, which you can use as a quick reference for anti-spyware best practices.

Raising user awareness

One of the key components of an anti-spyware initiative is educating users. Start with the basics, such as what constitutes spyware and what risks it poses. Once you've introduced the fundamentals, you can teach users how to spot spyware and what they can do to keep it off their machines. Depending on the size of your organization, these lessons can be taught in formal classes or in one-on-one sessions, where technicians visit users. Topics you'll want covered include:

Recognizing installed spyware. Users need to be aware of spyware symptoms. Most spyware is easily detected because it generates advertising pop-up windows, but users should also look for sluggish system performance, new home pages in their Internet browser, Internet pages that are rerouted to other Web sites, and the sudden appearance of new toolbars.

Downloading and installing cautiously. When users are presented with a pop-up window that asks them to click OK to install a "helpful" application, instruct them to either click the X in the upper-right corner of the window or press [Alt][F4] to close the window. They should never click OK or I Agree to close a pop-up window.

Carefully reading the EULA. If users elect to install a software program, they should take a few minutes to read the end-user license agreement (EULA) and all installation options to ensure that there aren't any additional applications hidden within the installation package. Even a trustworthy program like the Google toolbar has benign spyware options offered as part of the installation routine.

Be prepared to encounter users who believe that spyware applications are helpful. For example, at first glance, WeatherBug may appear quite handy. However, it also installs the My Search toolbar and generates pop-up advertising windows. So, in addition to removing the spyware, you must convince users that these programs can potentially lead to other problems.

Tightening browser security

Internet Explorer 6 offers several security settings designed to keep spyware at bay. These features attempt to strike a balance that allows users to browse the Web while still protecting their computers from harmful software.

To access the IE security settings, click Tools | Options. The security settings are located on the Security and Privacy tabs. Figure A shows the four security zones where all Web sites are gathered:

The Internet Zone contains all Web sites that are not placed in the other three zones.

The Local Intranet Zone contains Web sites on your company's intranet.

The Trusted Sites Zone contains all sites that you believe to be trustworthy and that you want your users to be able to view.

The Restricted Sites Zone contains all the sites you don't want anyone who uses the computer to view.


Figure A


By adding sites to the Restricted Sites Zone, you can prevent users from viewing sites you deem dangerous. For example, you might want to consider blocking the download site for WeatherBug to keep users from downloading and installing the program.

To add sites to the Restricted Sites Zone, click the Sites button. When the Restricted Sites dialog box appears (Figure B), enter the address of the site you want to restrict and click Add. The site will be added to the Restricted Sites list.

Figure B


You can also customize the security settings for a particular zone. Click the Custom Level button to open the dialog box shown in Figure C. Here, you can change the security level or modify the default settings.

Figure C


The Privacy tab, shown in Figure D, allows you to modify the security level for the Internet Zone. To adjust the level, simply move the slider to the desired setting. The Privacy tab also lets you modify the settings for the Microsoft Pop-up Blocker program, which we'll look at next.

Figure D


Installing pop-up blocker software

Pop-up blocker software won't prevent spyware from being installed on a computer, but it will at least keep pop-up advertisements from displaying. These programs use a database of known pop-up sites to prevent them from opening. When a Web site in the database attempts to display, the pop-up blocker closes the new window.

Pop-up site databases are populated in two ways. Some pop-up blockers require users to specify every Web site they want blocked, usually by selecting from a list of open windows. There are a couple of problems with this approach. First, it's a time-consuming method of populating the database. Second, the pop-up window must be opened at least once before it is blocked. This type of program works well, but users quickly tire of adding Web sites to the database.

Other pop-up blockers use a pop-up window definition file, which is a better alternative. The definition files are constantly updated, providing a current list of pop-up sites. These programs are easier to use and only require users to update the definition file, not actually build their own. The IE Pop-up Blocker that's installed with WinXP SP2 is an example of this type of software.

To view Pop-up Blocker settings, open Internet Explorer and click Tools | Pop-up Blocker | Pop-up Blocker Settings. Figure E shows the options that are available.

Figure E


First, you can add Web site addresses to the Allowed Sites list. These sites override the definition file and allow you to view pop-up windows from certain Web sites that might otherwise be blocked. You can also select the type of notification you receive when a pop-up is blocked and set the Filter Level. In general, the Medium setting does a good job of blocking most pop-ups from adware companies. If you want to block all pop-ups, select the High setting. The Low setting blocks all pop-ups except those from secure sites listed in the definition file.

Using anti-spyware tools

Spyware detection software scans a computer's hard drive for known spyware. Teaching your users how to use these applications allows them to remove spyware at the first sign. You should also instruct your users to run the spyware detection software at least once a week, even if they don't notice any signs of spyware. Regularly running the detection program can prevent problems before they surface. We'll look at spyware detection software in depth in a future article.


In today's world, spyware is a constant threat. However, computer users can help combat spyware by understanding the risks, downloading cautiously, carefully reading EULAs for every piece of software they install, and regularly using spyware detection software. The checklist in Table A covers the basic steps you and your users can take to stay on top of the spyware situation.

Untitled Document

Table A

Spyware prevention checklist
Educate users about the dangers of downloading and installing software that has not been approved for the corporate network.
Explain the importance of reading the end-user license agreement (EULA) when installing software.
Install anti-spyware software, such as Lavasoft's Ad-Aware,
on all computers in the corporate environment.
Teach users how to recognize and remove spyware using
anti-spyware software programs.
Inform users of new spyware programs that appear in the corporate environment. This can prevent them from downloading and installing something that a coworker or friend shows them.
Configure browser security settings to reduce the amount of spyware that can be downloaded.
Install pop-up blocker software or use the Internet Explorer
Pop-up Blocker addition.
Configure firewalls to block all outbound traffic on unused ports to prevent spyware from covertly sending information through them.
Use group policies to prevent software installation on corporate workstations.
Reduce the amount of Web surfing allowed on corporate computers.

These measures will greatly reduce the amount of spyware that gets installed on a computer. Of course, they won't eliminate the threat entirely, but they'll give you a healthy head start on keeping spyware under control.

Editor's Picks

Free Newsletters, In your Inbox