Page III: Spyware is a growing annoyance for users and organisations. With these techniques, you can help get spyware under control.
The catch with using software restriction policies is that although there are several different ways to set them up, for all practical purposes, you need to know what software it is that you are trying to block. For example, you can't just configure the software restriction policies to keep games off of a workstation, but you can specify which games should be blocked, assuming that you know the name of one or more of the files that make up the games. It works the same way for fighting spyware. You need to know the name of the files used by a spyware module before you can block it.
So, you can't use software restriction policies as a catch-all solution to spyware because new spyware modules come out every day, and many actually use system files (which can't be restricted). The policies are effective, though, against some of the more well-known types of spyware.
A good example of this is Gator Corporation, which recently changed its name to Claria Corporation. I'm not going to outright refer to the Gator software as spyware, because recently Claria has been filing libel suites against anyone who does; however, Claria's software does have that reputation.
In case you aren't familiar with the Gator software, here's how it works. Gator is an electronic wallet. It keeps track of your personal information so that any time you are asked to fill out a form on the Web, Gator automatically fills in as much of the information as it can automatically. It sounds nice in theory, but in exchange for this convenience, Gator requires you to allow Claria to monitor your Web browsing habits and display targeted pop up ads on your PC through the Gator Advertising Network (sometimes referred to as GAIN).
One thing that separates Gator from other types of spyware is that they actually disclose upfront that they will be monitoring your Web surfing habits and displaying ads on your system. Although they do disclose this information, the Gator installer tends to pester and entice users into installing it. Fortunately, you can block Gator through the use of software restriction policies.
There are several different versions of Gator floating around, but if you create a software restriction policy that blocks the files FSG.EXE, FSG_3202.EXE, and TRICKLER.EXE, you can prevent users from infesting workstations with Gator.
To create a Gator-blocking software restriction policy in Windows XP, open the Control Panel and click the Performance And Maintenance link, followed by the Administrative Tools link. Next, double-click the Local Security policy icon to open the Group Policy Editor.
When the editor opens, navigate to Security Settings | Software Restriction Policies | Additional Rules. Right-click on the Additional Rules container and select the New Path Rule option from the resulting shortcut menu. When you do, you will see the New Path Rule dialog box. Enter %SYSTEMROOT%\FSG.EXE into the Path box. Make sure that the Security Level option is set to Disallowed, and enter a description indicating that you are preventing Gator. Click OK and repeat the procedure for the FSG_3202.EXE and TRICKLER.EXE files. The new software restriction policies will look something like what you see in Figure B.
Figure B |
 |
| Some spyware can be prevented by using software restriction policies. |
During one of my more recent spyware removal endeavors, a user asked me how it was possible for her to computer to become infected with spyware when she had a firewall. The truth is that a firewall will do very little to prevent a spyware infection. Keep in mind that most of the time when an infection occurs, it's because you visited a malicious Web site. The malicious code is usually passed through TCP port 80, along with the site's other HTML code. Since Port 80 is the standard port used for browsing the Web, a firewall isn't about to prevent traffic from flowing across this port.
Just because your firewall doesn't usually prevent a spyware infestation doesn't mean that it is useless in the war against spyware though. Think about it for a moment. The main function of spyware is to transmit information about you or your browsing habits to someone else. Even if your firewall can't prevent spyware from getting into your PC, it can prevent potentially sensitive information from being sent back to the person who wrote the spyware module. Just configure your firewall to restrict outbound traffic. Normally, a default firewall configuration will consider all outbound traffic to be safe. I recommend restricting all outbound traffic except for on a few ports. For example, you will probably want to keep the ports used for HTTP, POP3, and SMTP open.
When all else fails, check the databaseAlthough most of this article has focused on spyware infestations that occur by accidentally stumbling onto a malicious Web site, malicious Web sites are definitely not the only source of spyware. Anyone who has ever visited download.com knows that there are thousands of different applications freely available for download. Although most free applications are exactly what they claim to be, there are applications available for download that will secretly install spyware onto your machine when you install the application.
So how do you know whether or not an application is safe? You could read the application's license agreement or terms of use, but such documents can be tough to understand and not all purveyors of spyware actually disclose their practices. A better solution is to simply ask someone who knows. The Spychecker Web site contains a database of applications known to have spyware attached. If you are considering installing a questionable application, try searching for the application in the Spy Checker database to see if it contains spyware. You can see an example of this in Figure C.
Figure C |
 |
| Spy Checker offers a free database of applications containing spyware. |
7%
3%
Hi Brien,
Loved your article but....
Windows XP Pro SP2 does not have linkages via Control Panel/Performance And Maintenance to carry out the processes to remove Gator as outlined in your article.
Would love an update for SP2!
Graham