Republished with permission from WatchGuard Technologies, Inc.


Spyware Remediation: Not Mission Impossible

By David Piscitello, President, Core Competence

This is what a serious spyware problem looks like:

The speedy PCs you recently purchased for your employees have slowed to a crawl. Your employees' browsers start with an unfamiliar home page and unseemly advertising. You try to visit Google to search an item, but the search page your browser presents looks nothing like Google, and the search results bear no resemblance to your queries. Popup ads appear more frequently than ever, even in applications that you never imagined supported popups, and even when you're not on line. Your credit company calls to confirm whether an employee recently purchased nine plasma TVs through your Small Business Loan.

You've got spyware! doesn't generate the same pleasant anticipation as You've got mail!, does it?

Small and medium businesses are ripe targets for spyware, but they don't have to remain so. SMBs can implement an effective anti-spyware program without making a large-enterprise-sized investment. By adopting programs and practices recommended here, and carefully selecting legitimate anti-spyware helpware, you can mount an effective defense against this serious problem. Follow the steps below and you'll break spyware's stranglehold on your network.

Step 1. Education

Your employees must understand the serious problems spyware creates. Begin by circulating the companion to this article ("Spyware Risk: It's Time to 'Get Smart'") inside your organization. Post lists of known adware and spyware. Identify the many forms spyware assumes and the symptoms spyware exhibits. Incorporate spyware detection and removal into your help desk (support) process. Don't paralyze your employees with fear, but encourage them to act wisely, within the guidelines you've adopted in your Acceptable Use Policy.

Step 2. Policy

If antivirus software is mandatory for all employees, make anti-spyware software mandatory as well. (If anti-virus is not mandatory on your network, read no further until you've implemented an anti-virus program!) Incorporate safe browsing practices in your acceptable use policy: teach users how to distinguish between deceptive and legitimate advertising. Incorporate safe installation practices: teach users how to distinguish adware licenses from true free-, share- and commercial-ware licenses. You may want to restrict or prohibit anyone but administrators from downloading free- and shareware, or from installing programs at all. If these rules seem too Draconian for your corporate culture, ask employees to identify business-related software that might increase productivity. Then, investigate this software, and arrange to host it on an intranet server. Public peer-to-peer applications are notorious sources of spyware.

Many companies already block P2P because of the liabilities related to copyrights infringements. Spyware prevention provides additional justification for such a policy.

Finally, explicitly indicate that this policy applies to all computers that will connect to the company network. It's not uncommon today for SMBs to prohibit any non-company-administered computer from its network.

Step 3. Detect, Remove, and Protect!

Spyware and adware detection can be as simple as installing and running a single removal program. Small businesses can take advantage of some of the free or inexpensive standalone spyware removal tools. Three "general purpose" spyware detection and removal tools to consider are SpyBot Search and Destroy and Javacool's one-two punch, Spyware Blaster and Spyware Guard.

SpyBot Search and Destroy (donation ware) scans for and removes spyware. The intuitive reports identify the pest and the components affected. Spybot allows selective removal, provides logging, backup and recovery mechanisms (system restore points), and free updates to the pest database and software. SpyBot's immunization component is compatible with Javacool's products; in fact, it recommends you use Spyware Blaster for additional ActiveX protection.

Combined, Spyware Blaster and Spyware Guard provide protection against unintentional downloads and the installation of malicious ActiveX controls, and adware. They block browser hijacking and can restrict actions of spyware and tracking sites in Internet Explorer and Mozilla/Firefox. Javacool provides automatic updates for both products. Javacool's products are donation ware. They are free for personal and educational use and ask businesses for a small annual fee for updates.

Two consumer-grade commercial products, Webroot's SpySweeper and Alluria's Spyware Eliminator, provide similar features. Both offer toll-free and e-mail customer support.

Medium businesses might be better off investigating and investing in corporate editions (network versions) of commercial anti-spyware such as Computer Associates' PestPatrol, and Dynacomm's I:scan. These provide centralized administration of installation, configuration, and scheduled operation. Commercial anti-virus software companies are expanding their product lines to include anti-spyware. Check with your vendor to see if you can leverage an existing investment in central AV administration to deal with spyware.

Step 4. Expanding your arsenal

Some spyware is really nasty. Detection and removal can be a labor-intensive task involving several tools. It's not uncommon to find a tool that removes some but not every trace of spyware. If you choose the freeware route, you will eventually compile a toolkit to detect and repair altered Registry entries, ActiveX controls, browser helper objects, and list items in Startup or IE folders, and hidden, installed applications.

Some tools excel in detecting adware and hostile cookies. Others are better at detecting Registry or browser issues, and some help resolve those irksome "Uninstall incomplete" situations. No list of anti-spyware tools is exhaustive, but I use and recommend the following:



LavaSoft's AdAware

Very good removal tool for unwanted adware and cookies. Free and commercial versions.

AnalogX CookieWall

This cookie manager lets you keep cookies you want, "one-time allow" a cookie, block cookies you don't want, and even browse the contents of a cookie. Freeware.

Merijn's HijackThis!

In my opinion, the nmap of spyware detection. It identifies changes from default IE and registry settings, installed BHOs and DPFs, and more. Donation ware.

UR I.T. Mate Group's PUI

Program Unistaller Information shows the uninstall string information from the System Registry, identifies programs that cannot be uninstalled, and detects certain spyware by its uninstall behavior. Freeware.

Kephyr's Bazooka

Anti-spyware work in progress. Strong on scanning capabilities but weak on removal. Provides a commendable online encyclopedia of spy and adware. Donation ware.


Adds domain names of known disreputable advertisers to the Restricted sites zone of Internet Explorer.

Don't assume that consumer grade anti-spyware offers a comprehensive package of detection and removal tools. Some engage in near-deceptive advertising by boasting they detect more pests than their competitors. When tested, these proved to contain many false positives: Watchguard users will be amused to learn that Spywaremover identifies one of the dynamic link libraries that supports FSM (al_crypt.dll) as spyware, and Spy-AdExterminator identifies Citrix's GoToMyPC as spyware. Judge comparative reviews with a grain of salt as well. Some reviews for spyware software may be biased. None of the spyware reviewed at Spyware Removers Review proved as effective as programs I've mentioned. A better review is at

A good way to decide what tools best suit your organization's needs is to download and compare. First, choose a system that shows symptoms of spyware infestation. Odd as it sounds, you might want to use an employee's home computer (in my case, I used my son's). Install your anti-spyware products, and one by one, scan for spyware. Don't remove the spyware or you'll taint the comparison (a better methodology would be to create a disk image and restore this each time, but the crude comparison yields pretty good results in less time). Save or capture the results and compare. To see how valid the results are, use pestware encyclopedias from Pest Patrol and Kephyr, or use Google.

Step 5. Spyware defense in depth

An effective spyware strategy applies the time-tested security strategy of layered defenses. Consider implementing some of these additional precautions and countermeasures:

  • Maintain current patch levels for Windows OS and Internet Explorer (if your organization uses a browser other than IE, keep current with new versions and patches for this software as well).
  • Monitor bug reporting lists for browser and Operating System vulnerabilities that might offer exploit paths for spyware.
  • Block Ad servers. Resolve domain names of known ad servers to in a hosts file or at your DNS, or identify restricted sites in IE (see IE-SPYAD, above).
  • Add known Ad servers list in your firewall's blocked sites or WebBlocker denied sites lists on your firewall (Note: the list is very long so you may wish to start with the frequent and repugnant offenders).
  • Block potentially dangerous file types by content type (S/MIME type) at your firewall using HTTP-Proxy.
  • Stay informed. Visit some of the many valuable Spyware discussion and resource sites.

Spyware is frustrating and dangerous. It deserves as much attention as spam and antivirus. Employing these measures will help you maintain productivity and good performance. They will also protect your users from privacy violations and identity theft, and guard your company from spyware-related liabilities. ##

Editor's Note. LiveSecurity reader Mike Kracker sent this practical reminder: if you do use Spybot, disable it temporarily when you upgrade to Windows XP SP2. Otherwise, Spybot's real-time clients for Windows and IE will cause disruption. Generally, Microsoft recommends you turn off services and non-critical applications when you install service packs. Your anti-spyware package might not come to mind unless you make a special note of it. Thanks for the tip, Mike! If you have anti-spyware tips to share, let WatchGuard's LiveSecurity editor know at --Scott Pinzon


Spyware Risk: It's Time to "Get Smart"
(The prequel to the article you just read)

Dave's Anti-spyware Resource Page

The CoolWebSearch Chronicles
Details the variants of this notorious browser hijacker

Antivirus and Antispyware must be the same ware
Opinion from Dave Piscitello, posted on the Loop site.

Copyright© 2004, WatchGuard Technologies, Inc. All rights reserved. WatchGuard, LiveSecurity, Firebox and ServerLock are trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and other countries.

Copyright © 1996 - 2004 WatchGuard Technologies, Inc. All rights reserved.