The author hosted a Webcast for the Expert Answer Center entitled "5 Things to Do About Spyware". This article...
expands on ideas in that webcast and will be followed up next week with a review of the current antispyware market.
This tip is about understanding and applying best practices when it comes to dealing with spyware and adware, be it on a single desktop, a handful of machines on a home or small office network or at the enterprise level. It's best expressed as a series of admonitions on ways to make sure your computers (and users) are wise to the ways of spyware and know how to protect themselves against it.
Preventing spyware is a process that has many layers. Some roles are performed by users and some by the administrator. These bits of advice begin with the basics and move on to more advanced practices.
"Protect Your PC"
This is actually the title of an informative and useful Web page on the Microsoft Web site. When it first appeared it advised everybody who visited to (a) keep Windows up to date, (b) use a personal firewall, and (c) use current antivirus software.
These days it exhorts its visitors to "Use Microsoft Windows Security Center" (which covers all of the aforementioned bases), and to "Get antispyware software," which includes the excellent Microsoft AntiSpyware beta software package (still available for free; Microsoft links to Lavasoft Ad-Aware SE and to Spybot Search & Destroy in its antispyware pages as well, much to my amazement).
Use a spyware scanner/screener
You won't be protected against spyware and adware unless you install an appropriate antispyware package (see TopTenReviews Inc.'s Anti-Spyware ratings on that software genre for pointers). The first such package you install on your machine generally also works just like antivirus software. It will not only run at regular intervals and scan your machine, but it will also check all incoming files, messages, Web pages and so forth to look for and block spyware, adware and other malware from taking up residence on your machine. For that reason, the screening function is very important because it provides real-time protection against potential infestation by malicious software.
Run one or more back-up scans weekly
Recent studies show that, unlike antivirus packages (many of which routinely achieve 100% effectiveness ratings in the virus handling department, as demonstrated by the Virus Bulletin 100% award), no single antispyware package can correctly identify or block all known spyware (not to mention new, unknown spyware).
Thus, best practices dictate that you install at least two antispyware packages on all machines. Use one for real-time screening and regular scans; use the other once a week as a backup scanner to catch spyware and adware that the other may miss. And, of course, it's essential to keep both (or more) such packages up-to-date to make sure they're scanning for what's really out there. It's also best to automate this activity to prevent human fallibility from allowing spyware to go undiscovered.
Understand clean-up: process and tools
What antivirus software can do for viruses, antispyware tools can detect and clean up after most known forms of spyware infestation. Nevertheless, it pays to get to know powerful, general-purpose clean-up tools such as Hijack This!. You can download it from MajorGeeks.com, where you'll also find a great spyware, adware and virus removal tutorial that explains the general tasks and processes involved. The "official" Hijack This! tutorial also references other great sources of information and instruction on how to use it for detection and to help guide clean-up.
Use a rootkit detector
There's another kind of malware making the Internet rounds these days. It's a special, extremely stealthy form of software that's designed to install and run itself as undetectably as possible.
Rootkits are special-purpose software toolkits that target specific operating systems (or families of systems, like all 32-bit versions of Windows) designed to mask intrusion and make administrator-level access available to intruders. Rootkits usually install on one or more systems and operate silently and stealthily in the background collecting user account names and passwords to facilitate further intrusion and compromise.
Although these tools often work and run by themselves (and are no less dangerous in that mode), they are increasingly incorporated into spyware and viruses by clever hackers. They may even be combined with Trojans to enable what they learn to be reported to remote locations across a network or the Internet. They allow keyloggers to capture account info, passwords and other sensitive data.
The real problem with rootkits is that most antivirus or antispyware tools can't detect them. A special class of tool, called a rootkit detector, is required to ferret out such malware. What's worse is that no automated clean-up tools yet exist to get rid of rootkits, so the only cure for an infestation is to wipe the drives clean and reinstall your system (and then restore your data files and software from a known clean backup).
To learn more on this topic and get pointers to detectors, visit rootkit.com, or read the book by that site's principals, Greg Hoglund and Jamie Butler: Rootkits: Subverting the Windows Kernel (Addison-Wesley, 2005, ISBN: 0321294319).
By following these simple steps -- and selecting the right software components to handle the various activities and protections described here -- individuals and organizations can achieve reasonable protection against malicious software. More on the details (and tools) involved in next week's tip!
About the author: Ed Tittel is the Series Editor for Exam Cram 2, and the author of The PC Magazine Guide to Fighting Spyware, Viruses, and Malware (Wiley, 2004, ISBN: 0764577697). He reports regularly on Windows certification, security, and development topics. E-mail Ed at firstname.lastname@example.org.