First off let me say that I work for a gateway AV, AS, Anti-spyware
Company. www.esafe.com
Here is a site that did a GREAT job of reviewing the ups and downs of
many of the products out there (both gateway and desktop). (eSafe,
Bluecoat, Microsoft, etc)
http://www.networkworld.com/reviews/2005/091205-spyware-test.html
As all the other threads have said... The proactive approach is by far
the best way to deal with this ever evolving threat. Currently there
are over 112,000 (src: webroot) spyware signatures that have been
evaluated, and this number is growing daily. There are many products
that battle these problems: gateway and desktop (hereafter called
endpoint).
All Gateway products have a great advantage over endpoint solutions.
They have a low TCO, due to a single point of management. The endpoint
approach had the deployment, daily management and management when a
event occurs.
With the above said, the endpoints are needed as part of a 'Defense in
Depth' solution. Endpoints are often connected to the internet outside
the protection of the corporate environment. 'Defense in Depth' also
refers to a multi-vender approach, and is a needed part of a robust
security practice.
AntiSpyware is far, far from the accuracy of antivirus, especially
something like NOD32. I wonder how long it will be before a decent
AntiSpyware application is released that, like NOD32 does with
viruses,
actually stops spyware *before* it is installed?
Hilton Travis
I find the products that people pay for are a better than the free ones.
(eg webroot, eSafe, etc). With this said people often talks about ROI.
Here are my thoughts on product that costs -vs- a free product.
If you have an infection then you will spend xx dollars in lost
productive and xx dollars rebuilding a machine. With Scumware (Spyware,
Adware, Keyloggers, etc) the computer is usually still functional. The
problem is not as apparent. Justification of ROI is harder due to the
non-physical risk.
((Time * Cost of Labor)+ Endpoint downtime + Project Management)
= Cost of this one infection.
Other things that are harder to quantify:
Loss of control of data
Loss of passwords (loss of security)
Machine slow down
Machine freeze ups
Calls to help desk
Being black listed (due to zombies)
With a proactive solution the infection never reaches the point of
installation. With a reactive approach the problem now needs a pound of
cure.
With all anti-X (AV, Anti-spyware, etc) you are buying risk mitigation.
A good ROI write ups:
http://documents.iss.net/whitepapers/Business_Value_of_Security_Whitepap
er.pdf
The bottom line is you need more than just a desktop solution. Even if
it is Microsoft's ;)
Respectfully,
William D. Ward 847-637-4047
-----Original Message-----
From: Bruce Klein [mailto:bruce.klein@iovation.com]
Sent: Wednesday, October 26, 2005 16:30
To: Nathan Kline; focus-virus@securityfocus.com
Subject: RE: Microsoft AntiSpyware falling further behind
Being Pro-active vs. Post Mortum (tending to the corpse) or a whole
other direction... which is effective and costs less (time/Money)?
So the following may be to long but I need to say it. You may end up
asking "what's my point". It is simply that is part of the job you -
you
might as well make it as easy as possible for yourself.
The last messages I have seen are leading in the same direction ---
How
do we do this better & smarter (faster, cheaper, spend less time on a
no
added value task). There is value added here (although it seems like a
waste)- it is maintaining the status quo so everyone (the non-IT
people)
can do their computer based work/job.
Today I don't see THE technology (only) solution that can do this and
I
rarely ever see a silver bullet in this line of work.
You need a guard that will protect the front door, back door, side
door,
Windows, Roof, floor, inside door to the bathroom... also needed is a
rapid response system to identify a breach and quickly remove it with
minimum damage and lost time (an it will always will as change is the
name of this game).
My Top 5:
1. Educating users definitely makes a huge difference if you have the
time or money to do so. If not - you lose the power of those brains
working for you vs. neutral or against you (hurting themselves and you
at the same time). Also this takes consistent reinforcement,
refreshing
as the 4th of July fireworks that are brilliantly stunning and clear
at
the moment of the incident fade from memory quickly... Making people
smarter (brown bag lunch presentation (with free pizza) going over
do's
and don'ts) is a good thing in general. You need to "deputize" every
computer user so they are working with you/for you.
Remember - a lot of the problems experienced over the past 5+ years
have
happened because of social engineering - someone did something that
started the ball rolling. People are 95 percent of the problem - they
are going to have to be 95 percent of the solution. You need to stop
it
from happening to stop having to fix it
2. Use Up-to-date tools that are refreshed daily (multiple times a day
sometimes) will help reduce the chance and opportunities, mitigate and
resolve a present problem and give the responsible person the ability
to
monitor and react be it a 5 system network or a 50,000 system network.
Ten years ago people layered antivirus programs because one did not
catch everything this changed (you had to pick one) after AV became to
big to fit on a floppy and programs became so deeply embedded a
computer
(network) could be crashed if you ran two different ones. Spyware will
probably follow this well worn trail in a year or two - it's not going
away. There are behavior based tools out but they have their own
issues.
3. Back up key data to a central source (vault) in case a rebuild is
needed. I agree that it can be simpler and faster to just rebuild the
box - a ghosted image with core applications that can be restored
quickly is great (if your hardware allows keep a couple of already
ghosted drives in the storage cabinet ).
4. Put AV & AS on your mail server
5. Use a filtered proxy for internet traffic (like BlueCoat) with a
monthly update subscription. Scrub the incoming and outgoing internet
traffic (this has multiple benefits).
Other things --
Go to thin client - citrix
Move everyone to dumb terminals and a mainframe or AS400
Use an outside mail service to scrub and deliver your mail (this can
have multiple benefits).
Regards,
Bruce Klein
-----Original Message-----
From: Nathan Kline [mailto:nathank@borisch.com]
Sent: Wednesday, October 26, 2005 10:53 AM
To: focus-virus@securityfocus.com
Subject: RE: Microsoft AntiSpyware falling further behind
What about the proactive spyware treatment? Everything that's been
said
here is reactive. I'd rather it not even get on my machine in the
first
place. A couple practices that I personally use are:
1. Turn on the option to ask me about all cookies, say "yes" only to
the ones needed (most browsers are capable of this in privacy
settings).
This can be a little annoying at first because you feel like you're
saying yes and no to every website that you go to ... But after a
while,
you don't have to worry about it nearly as much because it remembers
your choices.
2. Using Firefox instead of IE (I've found this to be one of the most
helpful anti-spyware measures). Actually READ the EULAs for "free"
software that you install to see if they come bundled with adware /
spyware (sometimes they actually tell you!).
3. Not saying that reactive treatment is bad, because I do use those
measures as well ... MSAS running and scanning my computer daily as
well
as Spybot S&D ... But using the proactive methods that I use, I will
MAYBE get 1 tidbit of adware on my machine a month or so and it's
almost
always been easily removed by one of the afore mentioned reactive
programs.
Nathan
IS Admin
-----Original Message-----
From: Kieran Murphy [mailto:Kieran.Murphy@powerscreen.co.uk]
Sent: Wednesday, October 26, 2005 11:05 AM
To: Bruce Klein; Quark IT - Hilton Travis;
focus-virus@securityfocus.com
Subject: RE: Microsoft AntiSpyware falling further behind
We take the same layered approach.
Trend IWSS at gateway with Trend OfficeScan inc Firewall / Anti-Spy on
desktops, complimented by either Spybot / MS AntiSpyware, and we do
find
that one system will detect stuff the others don't.
Trend especially appears to detect lots more problematic cookies than
any of the others. The layered approach is the best, as you can not
depend upon one vendor getting updated dat files out quicker than the
others, but by having multiple layers you increase your chances of
getting a update for one of your range of products quicker.
And Spybot and MS are both free, so it should be feasible for everyone
to have a layered approach.
Rgds, K.
-----Original Message-----
From: Bruce Klein [mailto:bruce.klein@iovation.com]
Sent: 25 October 2005 22:20
To: Quark IT - Hilton Travis; focus-virus@securityfocus.com
Subject: RE: Microsoft AntiSpyware falling further behind
There will never be a perfect solution - don't wait.
For the moment think of Spyware as cold weather and you want to be
protected (warm); put on layers to protect yourself.
Symantec has updated themselves to add Spam and Spyware to their
antivirus product. We are using Symantec, Websweeper, MS anti-spyware,
and Whole Security (behavior based AS).
You might say this is overkill but who knows for sure - while they all
play nice together I feel like I am at home by the fireplace with a
good
supply of logs.
Regards,
Bruce Klein |Director of IT
O:503-943-6750
C:971-645-7304
F:503-224-1581
www.iovation.com
-----Original Message-----
From: Quark IT - Hilton Travis [mailto:Hilton@quarkit.com.au]
Sent: Friday, October 21, 2005 1:51 PM
To: focus-virus@securityfocus.com
Subject: Microsoft AntiSpyware falling further behind
Hi All,
It seems that not only does Microsoft AntiSpyware recommend that
Claria's spyware is ignored, but it also misses a significant amount
of
cookies that are placed on a system - I have a VPC environment where I
browse the Internet so that anywhere I go won't affect my regular
Windows session/installation. Regularly CounterSpy is detecting
cookies
(such as Cok.ad.yieldmanager, CGI-Bin, Cok.AssassinTrojan2.0 and Zedo
(from yesterday's browsing)) that Microsoft AntiSpyware simply does
not
know about.
Now, this is not only disappointing, but potentially dangerous. Any
customer or end user running Microsoft AntiSpyware or CounterSpy is
not
being protected from these cookies, and MSAS doesn't even detect them
-
that's right, neither program's active monitoring is stopping the
installation of these cookies, but at least CounterSpy is detecting
them
post-installation.
AntiSpyware is far, far from the accuracy of antivirus, especially
something like NOD32. I wonder how long it will be before a decent
AntiSpyware application is released that, like NOD32 does with
viruses,
actually stops spyware *before* it is installed?
--
Regards,
Hilton Travis Phone: +61 (0)7 3344 3889
(Brisbane, Australia) Phone: +61 (0)419 792 394
Manager, Quark IT http://www.quarkit.com.au
Quark Group http://quarkgroup.com.au/
Microsoft Small Business Specialists
This message may contain confidential and/or proprietary information, and is
intended
only for the person/entity to which it was originally addressed.
The content of this message may contain private views and opinions which do not
constitute a formal disclosure or commitment, unless specifically stated.
