RE: [ActiveDir] OT:spyware

[Mulnick, Al]

There are examples out there of viruses elevating privileges if that's what you're asking.  The goal of virus defense is to limit the impact not necessarily prevent every single infection.  Things happen and you have to either decide to limit the amount of damage a virus or errant user or hacker, etc can do or you have to bet that you are catching everything before it happens.   Not only in your experience, but logically, you cannot prevent everything.  Virus defs lag exploits because one has to exist before the other.  Turns out the virus usually exists before the def does, right?   Your spyware problem is different.  It could be a lot of things, or it could be that this is a symptom of a larger issue.  Can't quite tell from the thread information so far.   Typical antivirus strategy has been to go after the "four sectors" file and print, smtp, desktops, and mail groupware servers.  The web adds another sector to go after and changes the paradigm from a pull to a push type of flow.  The users actively go after content vs. having it sent to them.   Spyware may is not all bad though, right? Some of it is undesirable such as tracking cookies etc.  Some of it leads to malware and really sucks to get rid of.  Ask any IT person with a non-tech teenage neighbor ;)   Best bet is to start with a policy and work back from there to a strategy and then to an execution plan. If your current strategy isn't working, it might be worth it to revisit the planning and then design the solution and deploy it to meet those requirements and direction.  Why not just jump to action?  I say this because you may be able to treat the symptoms now, but you'll just be waiting for the next one with no clear reaction plan or alternatives when it hits.    My $0.02 anyway.     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, September 29, 2004 5:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:spyware When a user gets a virus, that virus will execute under that user’s security context. So a regular user should NOT have a virus write to those keys. True?   Or can a virus somehow get localsystem access?   Thanks   As to Symantec, I know this is not the forum for this, but I’m pretty much at my limit with their products. I get infected by viruses that came out a year or 6 months ago AND all our definitions are up to date. I could chalk it up to my fault as an admin, if someone could just explain to me how I can be infected by a virus I already have the defs for. I assume the real time auto protect service is made to start BEFORE any virus or worm does. Oh well. End of rant.       From: Dan DeStefano [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 29, 2004 5:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:spyware   Remember that Ad-Aware can only be legally used in non-commercial environments. Spybot S&D and Spyware Blaster are both free to both home and corporate users, so I usually use these instead of Ad-Aware. Regular users should not be able to write to the hklm\software\microsoft\windows\current version\run key unless you have changed the key's permissions.     Daniel DeStefano         -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Kern, Tom Sent: Wednesday, September 29, 2004 4:14 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT:spyware Lately I my users have been plagued with spyware and adware. What do you guys do to fight this? Can Spybot be pushed out as an msi via a gpo? Or ad-aware? Should I set the killbit on all the local active x controls? Should I prevent active x and _javascript_ing in IE thru a gpo?   I’m running win2k/xp clients, but mostly win2k.   Finally, when you get a worm or a virus that writes to the hklm\software\microsoft\windows\currentversion\run key, does the worm/virus run under the user’s security context? Meaning, if the user is just a local user and thus has no privileges to write to those keys, shouldn’t the worm or virus not be able to as well?   Thanks and sorry for the deluge of questions, OT as they are.