Scheduling spyware scans through GP

TeKniques

Question for anyone who might know:

At work I have been having users infect their computers with spyware quite a bit. This is a pain in my @ss because I have to go around and fix it (usually by running Ad-aware, spybot, e-wido, etc). This is obviously because of the Internet sites I imagine that some people browse to. Regardless, I have to leave full Internet access open because of the nature of work we do. My question is this:

Say I take an executable like Spybot and wrap it to a MSI file and assign it through group policy. Is there a way that I can schedule Spybot to update and scan the client computers through GP so that the user pretty much only has to push 'scan now' to activate the scan?

I'm sure this is possible, I'm just not having any luck doing any Google searches. If an MCSE or a person with a lot of knowledge using AD could give me a hand I would appreciate it.

Thanks!

JDMurray

Why not just use an enterprise version of one or two good spyware scanners that are designed for scanning machines on an AD network? Ad-Aware Enterprise is a good choice.

Also, set a group policy to disable IE and only allow your users to Web browse using FireFox, or disable IE's ability to load ActiveX controls. That'll clear up a lot of your infection problems.

TeKniques

jdmurray wrote:

Why not just use an enterprise version of one or two good spyware scanners that are designed for scanning machines on an AD network? Ad-Aware Enterprise is a good choice.

Certainly a viable option, I will look into it. I was hoping to save the company money, because frankly they don't care if I'm up all day running around fixing things. I'm just trying to make my job easier

jdmurray wrote:

Also, set a group policy to disable IE and only allow your users to Web browse using FireFox, or disable IE's ability to load ActiveX controls. That'll clear up a lot of your infection problems.

The problem is that we are a Windows shop that develops software exclusively for Windows. We need IE to test the software. Of course we don't prevent users from using FireFox (I use it all day), but the option of using IE has to be there. I guess disabling ActiveX controls is one option I can think about though.

TheShadow

Well I don't know how you feel about this but there is always Microsofts tool that allows automatic scans. The problem is it a a beta. It is in beta 2 and is now officially known as Windows Defender (Beta 2). You can let it scan across the net of install the msi. Here is a link to a download button. Once installed you will end up with a bullseye icon in the task tray. It is updated fairly often the last being 3/10/06 Spyware became a pet peeve/project of Billg after he was bombed with some.

http://www.microsoft.com/security/malwareremove/default.mspx

You also might wish to bookmark the home page to the things Microsoft is doing security related which is the following link

http://www.microsoft.com/technet/security/default.mspx

edit. I see checking links that defender has a home page now

http://www.microsoft.com/athome/security/spyware/software/default.mspx

keatron

I agree with JD. First off, group policy is not designed to actually run software (at least not like you're describing). Doing this via group policy would probably be most effective if script (and that could get real nasty). Group policy is designed primarily to control the AD environment, and roll out software updates/patches/installs. I wouldn't try to stretch it to far beyond that. Again I'd agree with JD's advice on disabling ActiveX, and this my friend CAN be rolled out via Group Policy.

TeKniques

Thanks guys for the advice. In regards to Windows Defender, I cannot deploy any software on the network that is in Beta right now. I had already considered that, but it is policy that we just cannot do that.

I checked with Lavasoft and for the amount of users I have the cost of the Enterprise software is about $2,000 with 1 year support. I will present that and see if I can get the green to make it happen. In the meantime I will roll out disabling Active X controls, anything to help relieve this pain I endure occasionally

The amazing thing is that the majority of our employees are .NET programmers, project managers, database people, and product support techs. You would think these people knew better, but the office administration people actually are the ones that never have stuff happen to their computers! Go figure hehe

keatron

From what it sounds like, "2 stacks" is an amount that you will easily see the ROI on pretty quickly. Just put together some documentation showing how much time you spend on fighting this war every month/week then multiply the hours by what they pay you per hour and show em the numbers. Just be careful not to make statements like "all spyware problems will be completely gone if we use this software". Good luck.

Keatron

rossonieri#1

hello,

i have tried the trend micro's network viruswall switch - its a managable anti virus switch box. and it do a lot better - i think.

cheers..

sprkymrk

I agree with the majority of the other posts, but here is another possible solution closer to what you originally were thinking about doing.

At http://www.safer-networking.org/en/faq/30.html you will find a list of command line options that work with the main spybot executable and the spybot installer. Here is an example of running spybot from the command line:

spybotsd.exe /autoupdate /minimized /autocheck /autofix /autoclose

Obviously, this will start spybot minimized, check for updates, run a check for spyware, fix problems, and close. You can schedule this task to run on all your computers using a batch file with the "for" and "at" commands. Create a list of computers using dsquery, the run something like this:

for /f %%C in (c:\temp\computerlist.txt) do at \\%%C time 22:00 spybotsd.exe /autoupdate /minimized /autocheck /autofix /autoclose

This should schedule spybot to run every day at 10PM. Now your only problem is getting it installed on evryone's computer. If you are able to create an msi or zap file, you can deploy it (either assigned or published) via AD and GP. Otherwise, I recommend using psexec from SysInternals:
www.sysinternals.com/Utilities/PsExec.html and a batch file to deploy it using spybot's installer options, something like:

for /f %%C in (c:\temp\computerlist.txt) do psexec -c -s \\%%C spybotsd14.exe /verysilent

You may have to create a seperate batch file for the installer and tell psexec to run that instead. Either way, good luck!

Mark



[/i]

RussS

TeKniques - I would check the corporate version of Pest Patrol.

sprkymrk

I've got the Corp Edition of Counter Spy. It's okay, but still buggy on the management end. The client itself is a good app, but the Console/Server side is slow, buggy, and non-intuitive.

I didn't recommend an Enterprise version because he mentioned a $$$ issue and speciffically asked about SSD.

As an aside, how does the Corporate Version of PP work now? I had the version (for about a year) that was the first to hit the shelves, but it wasn't very good either. I have heard they made improvements and it incorporates with AD fairly well. Is that true?

TeKniques

Thank you all for the excellent suggestions. Sprkymrk, what you suggested was exactly what I was originally thinking, but forgot to mention the batch file and scripting as Keatron mentioned earlier.

I am exploring all avenues. I am pricing out all the corporate versions of some of these scanners to present to managment. Like Keatron said earlier, the price is not bad and the ROI will be quick because I have to do this a few times a week for about 30 minutes at a time.