RE: Network spyware detection

[Luke Sullivan <LSullivan () constellagroup com>]

I would agree with Gabrielle's remarks below, but would like to add this, if
you boot the infected computer in Safe-mode, then run a manual scan, the
SAV9 option to delete first then Log works much better.  The other thing is
I have not found a product yet that will delete or remove EVERY piece of
certain spyware/malware - but the nice thing about SAV9 is the stuff they
can't/won't delete is logged and a URL is provided to Symantec's site on how
to remove that specific malware - even if it is manually.  What I'd like to
see added, is a way to save or print the log file! 
And yes, I totally agree that a realtime protection or immunization would be
a great feature. 

-Luke


-----Original Message-----
From: Dowling, Gabrielle [mailto:dowlingg () sullcrom com]
Sent: Saturday, July 31, 2004 1:31 AM
To: Barber, Chris Mr. ATEC/Contractor; security-basics () securityfocus com
Subject: RE: Network spyware detection

Chris....

There are significant drawbacks to SAV9's adware "scanning"
functionality.

As you inferred, detection is limited to scheduled scans, there is no
realtime protection component as yet.

More important, it does not have any comprehensive cleaning functionality as
yet, so using the option to delete or report detected files can be quite
problematic.  (To their credit, there are cautions in their documentation
about this).

Given these two factors, it doesn't strike me as a reasonable solution at
the moment, as it essentially means you can use it for alerting purposes
only, and then have someone visit the workstation and run a host of cleanup
tools (and incur the cost for those tools, since my perception is that none
of these are free to use in a corporate environment).  Only to have to visit
the same workstation again a week later because hey, the user chose to
respond to the popup to optimize their browsing experience once again.

I've done a limited pilot of SAV9, and found that while its done a very good
job of detecting adware (etc.... and for etc I should point out that it is
also supposed to add enhanced detection for other non viral threats such as
porn dialers)), I suspect I will not roll out this feature and rather leave
it as SOP that if users complain about system performance, PCS will check
and remove adware with an application specifically designed for that
purpose.  Otherwise, given the proliferation of such these days, we'd have
to double our pc support staff just to respond to these detections (and for
little gain, unless their ability to perform work is measurably slowed down
as a result of the adware).

I do not see any good enterprise level apps for this purpose at this point
in time(I know some are trying to enter this place), and it's a significant
problem.  AV seems ideally suited to take on the role, for a variety of
reasons.  McAfee is supposed to already provide cleaning, but I have no
experience with current versions and so couldn't comment on their actual
success with this.

Regards

Gaby

-----Original Message-----
From: Barber, Chris Mr. ATEC/Contractor
[mailto:Chris.M.Barber () atec army mil]
Sent: Thursday, July 29, 2004 9:20 AM
To: 'security-basics () securityfocus com'
Subject: RE: Network spyware detection


Ben,
        Symantec Antivirus 9.0 has that option built in.  With SAV
Enterprise you can manage all your SAV clients and have them scan for
AD/Spy ware.  It is not an automatic scan, but it can be setup as a
scheduled scan. The schedule and the policy are pushed from the
Enterprise server to the clients.


Chris.



-----Original Message-----
From: Ben Huntley [mailto:benh () steffian com] 
Sent: Tuesday, July 27, 2004 8:10 AM
To: security-basics () securityfocus com
Subject: Network spyware detection


hi,
 
do any of you have recommendations/preferences regarding spyware
detection software appropriate for win2k networks?  spybot s&d 1.3 is
part of our base workstation image, however, we'd like to find something
that can be controlled & maintained from an admin perpsective (e.g
broadcast updates, tweaks, et al).  thanks in advance!
 
ben 

------------------------------------------------------------------------
---
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off 
any course! All of our class sizes are guaranteed to be 10 students or
less 
to facilitate one-on-one interaction with one of our expert instructors.

Attend a course taught by an expert instructor with years of
in-the-field 
pen testing experience in our state of the art hacking lab. Master the
skills 
of an Ethical Hacker to better assess the security of your organization.

Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
----



**********************************************************************
This e-mail is sent by a law firm and contains information
that may be privileged and confidential. If you are not the 
intended recipient, please delete the e-mail and notify us 
immediately. 
***********************************************************************


------------------------------------------------------------------------
---
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off 
any course! All of our class sizes are guaranteed to be 10 students or
less 
to facilitate one-on-one interaction with one of our expert instructors.

Attend a course taught by an expert instructor with years of
in-the-field 
pen testing experience in our state of the art hacking lab. Master the
skills 
of an Ethical Hacker to better assess the security of your organization.

Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
----




---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the
skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------