First off let me say that I work for a gateway AV, AS, Anti-spyware
Company. www.esafe.com
Here is a site that did a GREAT job of reviewing the ups and downs of
many of the products out there (both gateway and desktop). (eSafe,
Bluecoat, Microsoft, etc)
http://www.networkworld.com/reviews/2005/091205-spyware-test.html
As all the other threads have said... The proactive approach is by far
the best way to deal with this ever evolving threat. Currently there
are over 112,000 (src: webroot) spyware signatures that have been
evaluated, and this number is growing daily. There are many products
that battle these problems: gateway and desktop (hereafter called
endpoint).
All Gateway products have a great advantage over endpoint solutions.
They have a low TCO, due to a single point of management. The endpoint
approach had the deployment, daily management and management when a
event occurs.
With the above said, the endpoints are needed as part of a 'Defense in
Depth' solution. Endpoints are often connected to the internet outside
the protection of the corporate environment. 'Defense in Depth' also
refers to a multi-vender approach, and is a needed part of a robust
security practice.
> AntiSpyware is far, far from the accuracy of antivirus, especially
> something like NOD32. I wonder how long it will be before a decent
> AntiSpyware application is released that, like NOD32 does with
viruses,
> actually stops spyware *before* it is installed?
> Hilton Travis
I find the products that people pay for are a better than the free ones.
(eg webroot, eSafe, etc). With this said people often talks about ROI.
Here are my thoughts on product that costs -vs- a free product.
If you have an infection then you will spend xx dollars in lost
productive and xx dollars rebuilding a machine. With Scumware (Spyware,
Adware, Keyloggers, etc) the computer is usually still functional. The
problem is not as apparent. Justification of ROI is harder due to the
non-physical risk.
((Time * Cost of Labor)+ Endpoint downtime + Project Management)
= Cost of this one infection.
Other things that are harder to quantify:
Loss of control of data
Loss of passwords (loss of security)
Machine slow down
Machine freeze ups
Calls to help desk
Being black listed (due to zombies)
With a proactive solution the infection never reaches the point of
installation. With a reactive approach the problem now needs a pound of
cure.
With all anti-X (AV, Anti-spyware, etc) you are buying risk mitigation.
A good ROI write ups:
http://documents.iss.net/whitepapers/Business_Value_of_Security_Whitepap
er.pdf
The bottom line is you need more than just a desktop solution. Even if
it is Microsoft's ;)
Respectfully,
William D. Ward 847-637-4047
> -----Original Message-----
> From: Bruce Klein [mailto:bruce.klein (at) iovation (dot) com [email concealed]]
> Sent: Wednesday, October 26, 2005 16:30
> To: Nathan Kline; focus-virus (at) securityfocus (dot) com [email concealed]
> Subject: RE: Microsoft AntiSpyware falling further behind
>
> Being Pro-active vs. Post Mortum (tending to the corpse) or a whole
> other direction... which is effective and costs less (time/Money)?
>
> So the following may be to long but I need to say it. You may end up
> asking "what's my point". It is simply that is part of the job you -
you
> might as well make it as easy as possible for yourself.
>
> The last messages I have seen are leading in the same direction ---
How
> do we do this better & smarter (faster, cheaper, spend less time on a
no
> added value task). There is value added here (although it seems like a
> waste)- it is maintaining the status quo so everyone (the non-IT
people)
> can do their computer based work/job.
>
> Today I don't see THE technology (only) solution that can do this and
I
> rarely ever see a silver bullet in this line of work.
>
> You need a guard that will protect the front door, back door, side
door,
> Windows, Roof, floor, inside door to the bathroom... also needed is a
> rapid response system to identify a breach and quickly remove it with
> minimum damage and lost time (an it will always will as change is the
> name of this game).
>
>
> My Top 5:
>
> 1. Educating users definitely makes a huge difference if you have the
> time or money to do so. If not - you lose the power of those brains
> working for you vs. neutral or against you (hurting themselves and you
> at the same time). Also this takes consistent reinforcement,
refreshing
> as the 4th of July fireworks that are brilliantly stunning and clear
at
> the moment of the incident fade from memory quickly... Making people
> smarter (brown bag lunch presentation (with free pizza) going over
do's
> and don'ts) is a good thing in general. You need to "deputize" every
> computer user so they are working with you/for you.
>
> Remember - a lot of the problems experienced over the past 5+ years
have
> happened because of social engineering - someone did something that
> started the ball rolling. People are 95 percent of the problem - they
> are going to have to be 95 percent of the solution. You need to stop
it
> from happening to stop having to fix it
>
> 2. Use Up-to-date tools that are refreshed daily (multiple times a day
> sometimes) will help reduce the chance and opportunities, mitigate and
> resolve a present problem and give the responsible person the ability
to
> monitor and react be it a 5 system network or a 50,000 system network.
> Ten years ago people layered antivirus programs because one did not
> catch everything this changed (you had to pick one) after AV became to
> big to fit on a floppy and programs became so deeply embedded a
computer
> (network) could be crashed if you ran two different ones. Spyware will
> probably follow this well worn trail in a year or two - it's not going
> away. There are behavior based tools out but they have their own
issues.
>
> 3. Back up key data to a central source (vault) in case a rebuild is
> needed. I agree that it can be simpler and faster to just rebuild the
> box - a ghosted image with core applications that can be restored
> quickly is great (if your hardware allows keep a couple of already
> ghosted drives in the storage cabinet ).
>
> 4. Put AV & AS on your mail server
>
> 5. Use a filtered proxy for internet traffic (like BlueCoat) with a
> monthly update subscription. Scrub the incoming and outgoing internet
> traffic (this has multiple benefits).
>
>
> Other things --
> Go to thin client - citrix
> Move everyone to dumb terminals and a mainframe or AS400
> Use an outside mail service to scrub and deliver your mail (this can
> have multiple benefits).
>
>
> Regards,
> Bruce Klein
>
> -----Original Message-----
> From: Nathan Kline [mailto:nathank (at) borisch (dot) com [email concealed]]
> Sent: Wednesday, October 26, 2005 10:53 AM
> To: focus-virus (at) securityfocus (dot) com [email concealed]
> Subject: RE: Microsoft AntiSpyware falling further behind
>
> What about the proactive spyware treatment? Everything that's been
said
> here is reactive. I'd rather it not even get on my machine in the
first
> place. A couple practices that I personally use are:
>
> 1. Turn on the option to ask me about all cookies, say "yes" only to
> the ones needed (most browsers are capable of this in privacy
settings).
> This can be a little annoying at first because you feel like you're
> saying yes and no to every website that you go to ... But after a
while,
> you don't have to worry about it nearly as much because it remembers
> your choices.
>
> 2. Using Firefox instead of IE (I've found this to be one of the most
> helpful anti-spyware measures). Actually READ the EULAs for "free"
> software that you install to see if they come bundled with adware /
> spyware (sometimes they actually tell you!).
>
> 3. Not saying that reactive treatment is bad, because I do use those
> measures as well ... MSAS running and scanning my computer daily as
well
> as Spybot S&D ... But using the proactive methods that I use, I will
> MAYBE get 1 tidbit of adware on my machine a month or so and it's
almost
> always been easily removed by one of the afore mentioned reactive
> programs.
>
> Nathan
> IS Admin
>
>
> -----Original Message-----
> From: Kieran Murphy [mailto:Kieran.Murphy (at) powerscreen.co (dot) uk [email concealed]]
> Sent: Wednesday, October 26, 2005 11:05 AM
> To: Bruce Klein; Quark IT - Hilton Travis;
focus-virus (at) securityfocus (dot) com [email concealed]
> Subject: RE: Microsoft AntiSpyware falling further behind
>
> We take the same layered approach.
>
> Trend IWSS at gateway with Trend OfficeScan inc Firewall / Anti-Spy on
> desktops, complimented by either Spybot / MS AntiSpyware, and we do
find
> that one system will detect stuff the others don't.
>
> Trend especially appears to detect lots more problematic cookies than
> any of the others. The layered approach is the best, as you can not
> depend upon one vendor getting updated dat files out quicker than the
> others, but by having multiple layers you increase your chances of
> getting a update for one of your range of products quicker.
>
> And Spybot and MS are both free, so it should be feasible for everyone
> to have a layered approach.
>
> Rgds, K.
>
> -----Original Message-----
> From: Bruce Klein [mailto:bruce.klein (at) iovation (dot) com [email concealed]]
> Sent: 25 October 2005 22:20
> To: Quark IT - Hilton Travis; focus-virus (at) securityfocus (dot) com [email concealed]
> Subject: RE: Microsoft AntiSpyware falling further behind
>
> There will never be a perfect solution - don't wait.
>
> For the moment think of Spyware as cold weather and you want to be
> protected (warm); put on layers to protect yourself.
>
> Symantec has updated themselves to add Spam and Spyware to their
> antivirus product. We are using Symantec, Websweeper, MS anti-spyware,
> and Whole Security (behavior based AS).
>
> You might say this is overkill but who knows for sure - while they all
> play nice together I feel like I am at home by the fireplace with a
good
> supply of logs.
>
>
> Regards,
>
> Bruce Klein |Director of IT
> O:503-943-6750
> C:971-645-7304
> F:503-224-1581
> www.iovation.com
>
> -----Original Message-----
> From: Quark IT - Hilton Travis [mailto:Hilton (at) quarkit.com (dot) au [email concealed]]
> Sent: Friday, October 21, 2005 1:51 PM
> To: focus-virus (at) securityfocus (dot) com [email concealed]
> Subject: Microsoft AntiSpyware falling further behind
>
> Hi All,
>
> It seems that not only does Microsoft AntiSpyware recommend that
> Claria's spyware is ignored, but it also misses a significant amount
of
> cookies that are placed on a system - I have a VPC environment where I
> browse the Internet so that anywhere I go won't affect my regular
> Windows session/installation. Regularly CounterSpy is detecting
cookies
> (such as Cok.ad.yieldmanager, CGI-Bin, Cok.AssassinTrojan2.0 and Zedo
> (from yesterday's browsing)) that Microsoft AntiSpyware simply does
not
> know about.
>
> Now, this is not only disappointing, but potentially dangerous. Any
> customer or end user running Microsoft AntiSpyware or CounterSpy is
not
> being protected from these cookies, and MSAS doesn't even detect them
-
> that's right, neither program's active monitoring is stopping the
> installation of these cookies, but at least CounterSpy is detecting
them
> post-installation.
>
> AntiSpyware is far, far from the accuracy of antivirus, especially
> something like NOD32. I wonder how long it will be before a decent
> AntiSpyware application is released that, like NOD32 does with
viruses,
> actually stops spyware *before* it is installed?
>
> --
>
> Regards,
>
> Hilton Travis Phone: +61 (0)7 3344 3889
> (Brisbane, Australia) Phone: +61 (0)419 792 394
> Manager, Quark IT http://www.quarkit.com.au
> Quark Group http://quarkgroup.com.au/
>
> Microsoft Small Business Specialists
>
This message may contain confidential and/or proprietary information, and is intended
only for the person/entity to which it was originally addressed.
The content of this message may contain private views and opinions which do not
constitute a formal disclosure or commitment, unless specifically stated.
First off let me say that I work for a gateway AV, AS, Anti-spyware
Company. www.esafe.com
Here is a site that did a GREAT job of reviewing the ups and downs of
many of the products out there (both gateway and desktop). (eSafe,
Bluecoat, Microsoft, etc)
http://www.networkworld.com/reviews/2005/091205-spyware-test.html
As all the other threads have said... The proactive approach is by far
the best way to deal with this ever evolving threat. Currently there
are over 112,000 (src: webroot) spyware signatures that have been
evaluated, and this number is growing daily. There are many products
that battle these problems: gateway and desktop (hereafter called
endpoint).
All Gateway products have a great advantage over endpoint solutions.
They have a low TCO, due to a single point of management. The endpoint
approach had the deployment, daily management and management when a
event occurs.
With the above said, the endpoints are needed as part of a 'Defense in
Depth' solution. Endpoints are often connected to the internet outside
the protection of the corporate environment. 'Defense in Depth' also
refers to a multi-vender approach, and is a needed part of a robust
security practice.
> AntiSpyware is far, far from the accuracy of antivirus, especially
> something like NOD32. I wonder how long it will be before a decent
> AntiSpyware application is released that, like NOD32 does with
viruses,
> actually stops spyware *before* it is installed?
> Hilton Travis
I find the products that people pay for are a better than the free ones.
(eg webroot, eSafe, etc). With this said people often talks about ROI.
Here are my thoughts on product that costs -vs- a free product.
If you have an infection then you will spend xx dollars in lost
productive and xx dollars rebuilding a machine. With Scumware (Spyware,
Adware, Keyloggers, etc) the computer is usually still functional. The
problem is not as apparent. Justification of ROI is harder due to the
non-physical risk.
((Time * Cost of Labor)+ Endpoint downtime + Project Management)
= Cost of this one infection.
Other things that are harder to quantify:
Loss of control of data
Loss of passwords (loss of security)
Machine slow down
Machine freeze ups
Calls to help desk
Being black listed (due to zombies)
With a proactive solution the infection never reaches the point of
installation. With a reactive approach the problem now needs a pound of
cure.
With all anti-X (AV, Anti-spyware, etc) you are buying risk mitigation.
A good ROI write ups:
http://documents.iss.net/whitepapers/Business_Value_of_Security_Whitepap
er.pdf
The bottom line is you need more than just a desktop solution. Even if
it is Microsoft's ;)
Respectfully,
William D. Ward 847-637-4047
> -----Original Message-----
> From: Bruce Klein [mailto:bruce.klein (at) iovation (dot) com [email concealed]]
> Sent: Wednesday, October 26, 2005 16:30
> To: Nathan Kline; focus-virus (at) securityfocus (dot) com [email concealed]
> Subject: RE: Microsoft AntiSpyware falling further behind
>
> Being Pro-active vs. Post Mortum (tending to the corpse) or a whole
> other direction... which is effective and costs less (time/Money)?
>
> So the following may be to long but I need to say it. You may end up
> asking "what's my point". It is simply that is part of the job you -
you
> might as well make it as easy as possible for yourself.
>
> The last messages I have seen are leading in the same direction ---
How
> do we do this better & smarter (faster, cheaper, spend less time on a
no
> added value task). There is value added here (although it seems like a
> waste)- it is maintaining the status quo so everyone (the non-IT
people)
> can do their computer based work/job.
>
> Today I don't see THE technology (only) solution that can do this and
I
> rarely ever see a silver bullet in this line of work.
>
> You need a guard that will protect the front door, back door, side
door,
> Windows, Roof, floor, inside door to the bathroom... also needed is a
> rapid response system to identify a breach and quickly remove it with
> minimum damage and lost time (an it will always will as change is the
> name of this game).
>
>
> My Top 5:
>
> 1. Educating users definitely makes a huge difference if you have the
> time or money to do so. If not - you lose the power of those brains
> working for you vs. neutral or against you (hurting themselves and you
> at the same time). Also this takes consistent reinforcement,
refreshing
> as the 4th of July fireworks that are brilliantly stunning and clear
at
> the moment of the incident fade from memory quickly... Making people
> smarter (brown bag lunch presentation (with free pizza) going over
do's
> and don'ts) is a good thing in general. You need to "deputize" every
> computer user so they are working with you/for you.
>
> Remember - a lot of the problems experienced over the past 5+ years
have
> happened because of social engineering - someone did something that
> started the ball rolling. People are 95 percent of the problem - they
> are going to have to be 95 percent of the solution. You need to stop
it
> from happening to stop having to fix it
>
> 2. Use Up-to-date tools that are refreshed daily (multiple times a day
> sometimes) will help reduce the chance and opportunities, mitigate and
> resolve a present problem and give the responsible person the ability
to
> monitor and react be it a 5 system network or a 50,000 system network.
> Ten years ago people layered antivirus programs because one did not
> catch everything this changed (you had to pick one) after AV became to
> big to fit on a floppy and programs became so deeply embedded a
computer
> (network) could be crashed if you ran two different ones. Spyware will
> probably follow this well worn trail in a year or two - it's not going
> away. There are behavior based tools out but they have their own
issues.
>
> 3. Back up key data to a central source (vault) in case a rebuild is
> needed. I agree that it can be simpler and faster to just rebuild the
> box - a ghosted image with core applications that can be restored
> quickly is great (if your hardware allows keep a couple of already
> ghosted drives in the storage cabinet ).
>
> 4. Put AV & AS on your mail server
>
> 5. Use a filtered proxy for internet traffic (like BlueCoat) with a
> monthly update subscription. Scrub the incoming and outgoing internet
> traffic (this has multiple benefits).
>
>
> Other things --
> Go to thin client - citrix
> Move everyone to dumb terminals and a mainframe or AS400
> Use an outside mail service to scrub and deliver your mail (this can
> have multiple benefits).
>
>
> Regards,
> Bruce Klein
>
> -----Original Message-----
> From: Nathan Kline [mailto:nathank (at) borisch (dot) com [email concealed]]
> Sent: Wednesday, October 26, 2005 10:53 AM
> To: focus-virus (at) securityfocus (dot) com [email concealed]
> Subject: RE: Microsoft AntiSpyware falling further behind
>
> What about the proactive spyware treatment? Everything that's been
said
> here is reactive. I'd rather it not even get on my machine in the
first
> place. A couple practices that I personally use are:
>
> 1. Turn on the option to ask me about all cookies, say "yes" only to
> the ones needed (most browsers are capable of this in privacy
settings).
> This can be a little annoying at first because you feel like you're
> saying yes and no to every website that you go to ... But after a
while,
> you don't have to worry about it nearly as much because it remembers
> your choices.
>
> 2. Using Firefox instead of IE (I've found this to be one of the most
> helpful anti-spyware measures). Actually READ the EULAs for "free"
> software that you install to see if they come bundled with adware /
> spyware (sometimes they actually tell you!).
>
> 3. Not saying that reactive treatment is bad, because I do use those
> measures as well ... MSAS running and scanning my computer daily as
well
> as Spybot S&D ... But using the proactive methods that I use, I will
> MAYBE get 1 tidbit of adware on my machine a month or so and it's
almost
> always been easily removed by one of the afore mentioned reactive
> programs.
>
> Nathan
> IS Admin
>
>
> -----Original Message-----
> From: Kieran Murphy [mailto:Kieran.Murphy (at) powerscreen.co (dot) uk [email concealed]]
> Sent: Wednesday, October 26, 2005 11:05 AM
> To: Bruce Klein; Quark IT - Hilton Travis;
focus-virus (at) securityfocus (dot) com [email concealed]
> Subject: RE: Microsoft AntiSpyware falling further behind
>
> We take the same layered approach.
>
> Trend IWSS at gateway with Trend OfficeScan inc Firewall / Anti-Spy on
> desktops, complimented by either Spybot / MS AntiSpyware, and we do
find
> that one system will detect stuff the others don't.
>
> Trend especially appears to detect lots more problematic cookies than
> any of the others. The layered approach is the best, as you can not
> depend upon one vendor getting updated dat files out quicker than the
> others, but by having multiple layers you increase your chances of
> getting a update for one of your range of products quicker.
>
> And Spybot and MS are both free, so it should be feasible for everyone
> to have a layered approach.
>
> Rgds, K.
>
> -----Original Message-----
> From: Bruce Klein [mailto:bruce.klein (at) iovation (dot) com [email concealed]]
> Sent: 25 October 2005 22:20
> To: Quark IT - Hilton Travis; focus-virus (at) securityfocus (dot) com [email concealed]
> Subject: RE: Microsoft AntiSpyware falling further behind
>
> There will never be a perfect solution - don't wait.
>
> For the moment think of Spyware as cold weather and you want to be
> protected (warm); put on layers to protect yourself.
>
> Symantec has updated themselves to add Spam and Spyware to their
> antivirus product. We are using Symantec, Websweeper, MS anti-spyware,
> and Whole Security (behavior based AS).
>
> You might say this is overkill but who knows for sure - while they all
> play nice together I feel like I am at home by the fireplace with a
good
> supply of logs.
>
>
> Regards,
>
> Bruce Klein |Director of IT
> O:503-943-6750
> C:971-645-7304
> F:503-224-1581
> www.iovation.com
>
> -----Original Message-----
> From: Quark IT - Hilton Travis [mailto:Hilton (at) quarkit.com (dot) au [email concealed]]
> Sent: Friday, October 21, 2005 1:51 PM
> To: focus-virus (at) securityfocus (dot) com [email concealed]
> Subject: Microsoft AntiSpyware falling further behind
>
> Hi All,
>
> It seems that not only does Microsoft AntiSpyware recommend that
> Claria's spyware is ignored, but it also misses a significant amount
of
> cookies that are placed on a system - I have a VPC environment where I
> browse the Internet so that anywhere I go won't affect my regular
> Windows session/installation. Regularly CounterSpy is detecting
cookies
> (such as Cok.ad.yieldmanager, CGI-Bin, Cok.AssassinTrojan2.0 and Zedo
> (from yesterday's browsing)) that Microsoft AntiSpyware simply does
not
> know about.
>
> Now, this is not only disappointing, but potentially dangerous. Any
> customer or end user running Microsoft AntiSpyware or CounterSpy is
not
> being protected from these cookies, and MSAS doesn't even detect them
-
> that's right, neither program's active monitoring is stopping the
> installation of these cookies, but at least CounterSpy is detecting
them
> post-installation.
>
> AntiSpyware is far, far from the accuracy of antivirus, especially
> something like NOD32. I wonder how long it will be before a decent
> AntiSpyware application is released that, like NOD32 does with
viruses,
> actually stops spyware *before* it is installed?
>
> --
>
> Regards,
>
> Hilton Travis Phone: +61 (0)7 3344 3889
> (Brisbane, Australia) Phone: +61 (0)419 792 394
> Manager, Quark IT http://www.quarkit.com.au
> Quark Group http://quarkgroup.com.au/
>
> Microsoft Small Business Specialists
>
This message may contain confidential and/or proprietary information, and is intended
only for the person/entity to which it was originally addressed.
The content of this message may contain private views and opinions which do not
constitute a formal disclosure or commitment, unless specifically stated.
[ reply ]