SolutionBase: Multiple tactics can help keep spyware at bay

The proliferation of spyware apps has forced many IT pros into reactive mode. But preventing spyware from installing is a lot easier than dealing with it after it has moved in. These strategies can help keep spyware from weaseling its way onto your systems.

Removing spyware from a computer is comparable to a root canal: Both can be painful and time consuming. That's why the best way to combat spyware is to do everything you can to prevent it from being installed in the first place. Although nothing will protect you completely, you can follow some simple steps to reduce the amount of spyware that finds its way into your organization. Just think of these measures as brushing and flossing. They may not always prevent major problems, but if you don't do them, you're guaranteed to have serious issues at some point.

Use spyware detection tools regularly

Antivirus software is a staple of every enterprise workstation these days. No IT staffer would even dream of deploying a workstation without it. Yet spyware detection tools are still scarce on company networks. A recent Webroot survey indicated that while 70 percent of organizations expressed concern about spyware, fewer than 10 percent of them have installed any spyware detection software.

Spyware detection tools, such as LavaSoft's Ad-Aware, are generally used to remove spyware that is already installed on a workstation. However, removing these programs is also an important part of preventing additional spyware from being installed on a workstation. Once a spyware program is installed on a computer, the author may send updates to the program. For example, a user could be presented with a window announcing an update to a program that's actually spyware. If the user agrees to update the software, the additional spyware is installed. Routinely running spyware detection programs can eliminate this threat.

Keep operating systems and software updated

Network administrators understand the need for keeping the server and workstation operating systems and applications updated. Managers and small business owners often don't. This can present problems for IT pros, because skimping on updates can lead to problems that ultimately cost more than upgrading a few workstations or applications.

For instance, Windows 95/98 workstations still have a presence in many organizations, despite being outdated and lacking security. The absence of user permissions and restrictions allows anyone to install software on the computer. So, for organizations using Windows 95/98, the first step in reducing the risk of spyware (and avoiding many other issues) should be an upgrade to Windows 2000 or XP.

In addition to updating the workstation operating system, you should also keep application software updated. Software vendors regularly update their applications to patch holes that spyware authors exploit. For example, Microsoft's Windows XP Service Pack 2 includes an update to Internet Explorer that provides a pop-up blocker and an Add-On Manager, which shows a list of browser add-ons that have been installed. Often, these add-ons are actually spyware.

You should also install all service packs and hot fixes. These updates may target holes that virus and malware authors exploit. This is especially true of antivirus and spyware detection software. If the spyware definition file isn't current, the detection tool won't be able to identify the latest spyware. Generally, it's a good idea to check for updates at least once a week.

Microsoft recommends that you configure Windows to download and install operating system updates automatically. This isn't a viable solution in an enterprise, where you need to verify that the changes are compatible with your environment. However, if you work in a small organization or consult for a number of small business clients, you may want to configure Windows to either notify you before installing the updates or to notify you when updates are available. These two options give you control of when (and if) updates are installed. You can configure the Windows XP Automatic Updates settings by clicking Start | Control Panel | Automatic Updates. In the Automatic Updates dialog box, shown in Figure A, select the option you want to use and click OK.

Figure A


Limit Web surfing

Every minute that employees spend surfing the Internet costs their employers money in the form of reduced productivity or reduced network availability. Another, less obvious, consequence of user surfing is the time required for IT support personnel to remove spyware from workstations. This is a significant concern. A recent Dell survey reported that 20 percent of the calls to its help desk were related to spyware. Although the Dell help desk primarily services home customers, that's still an enormous amount of resources dedicated to resolving spyware-related issues.

One solution to this problem is to reduce the amount of external Web surfing users conduct. If particular employees don't need to use the Internet as part of their job, don't give them a browser application, or strictly enforce an Internet usage policy. This type of policy will reduce technical support calls, free up network bandwidth, and possibly increase productivity.

Use group policies and software restriction policies

In an enterprise environment, you can employ group policies to prevent software installation on user workstations. This is a good way to keep users from installing tempting applications such as the Google toolbar and WeatherBug, or any other type of software that has not been qualified for your network. To find out more about setting up group policies, download our "Windows Group Policy Quick Guide."

If you work in a smaller organization, software restriction policies can offer a nice solution for preventing installation of specific programs. You must manually create a policy for each program, which makes it a time-consuming method of blocking spyware installation. However, despite this drawback, you may want to consider using a software restriction policy to prevent installation of certain applications, such as software from Gator Corporation (now called Claria Corporation). You might also want to prevent someone from reinstalling an application you just spent an hour removing.

To create a software restriction policy in Windows XP, click Start | Control Panel | Administrative Tools | Local Security Policy. The Local Security Settings dialog box will appear. Click Software Restriction Policies. If no policies are currently defined on the computer, you'll see the message shown in Figure B.

Figure B


Now, click Action | New Policies, and you'll see two new entries under Software Restriction Policies. Right-click on Additional Rules and select New Path Rule, as shown in Figure C.

Figure C


When the New Path Rule dialog box appears, enter %SYSTEMROOT%\filename in the Path field. For instance, typing FSG.EXE as the filename will block installation of a Gator Trickler file. If the application includes multiple files, you must create a restriction policy for each one.

Verify that the Security Level is set to Disallowed, and type a description in the space provided, as shown in Figure D. Once you create the software restriction policy, no one can install the file on that particular computer.

Figure D


Since you have to know specifically which software installations to block before you can create a policy to block them, you'll need information on what files may be worth restricting. You can find out about known spyware and adware programs by checking a "parasite" list such as the ones offered by DoxDesk, Kephyr, and Pest Patrol.

Use a firewall

Firewalls do a good job of preventing others from accessing your computer. Unfortunately, they do little to prevent spyware from being installed because most spyware applications come bundled with legitimate applications that you yourself install. Spyware is also usually passed through TCP port 80, which is the standard port used for browsing the Web. That means you canï¿?t block port 80 unless you also want to block all of your legitimate Web traffic. However, you can use a firewall to prevent information from being sent back to the adware company.

Most default firewall configurations consider all outbound traffic to be safe. But you might consider restricting outbound traffic on all ports except those used for HTTP, POP3, and SMTP. Although this won't prevent spyware applications from sending data through those ports, it will prevent applications from sending your personal information through any other outbound port.


Even if you follow every precaution we've considered here, chances are good that spyware will still end up on your users' machines. However, these steps will at least help reduce the amount of spyware that infests your organization. Regularly running anti-spyware tools, keeping operating systems and applications up to date, controlling employee surfing habits, restricting software installation, and using a firewall to help prevent information from being sent to adware companies will lessen the number of spyware root canals you have to undertake.