A spyware infection is rarely a single application; most successful malware infections automatically install several, even dozens, of additional applications . Some of those applications might be straightforward to remove. However, if even a single malicious application remains, that remaining malware application might continue to install other malware applications.
If you detect a problem related to spyware and other potentially unwanted software, follow these steps to troubleshoot it:
1. Perform a quick scan and remove any potentially unwanted applications. Then, immediately perform a full scan and remove any additional potentially malicious software . The full scan can take many hours to run. Windows Defender will probably need to restart Windows .
2. If the software has made changes to Internet Explorer, such as adding unwanted addons or changing the home page, refer to Chapter 20 for troubleshooting information.
3. Run antivirus scans on your computer, such as that available from http://safety.live.com . Often, spyware might install software that is classified as a virus, or the vulnerability exploited by spyware might also be exploited by a virus. Windows Defender does not detect or remove viruses. Remove any viruses installed on the computer.
4. If you still see signs of malware, install an additional antispyware and antivirus application from a known and trusted vendor. With complicated infections, a single anti-malware tool might not be able to remove the infection completely. Your chances of removing all traces of malware increase by using multiple applications, but you should not configure multiple applications to provide real-time protection.
5. If problems persist, shut down the computer and use the Startup Repair tool to perform a System Restore . Restore the computer to a date prior to the malware infection . System Restore will typically remove any startup settings that cause malware applications to run, but it will not remove the executable files themselves . Use this only as a last resort: Although System Restore will not remove a user's personal files, it can cause problems with recently installed or configured applications . For more information, see Chapter 29, "Configuring Startup and Troubleshooting Startup Issues ."
These steps will resolve the vast majority of malware problems. However, when malware has run on a computer, you can never be certain that the software is removed completely. In particular, malware known as rootkits can install themselves in such a way that they are difficult to detect on a computer. In these circumstances, if you cannot find a way to confidently remove the rootkit, you might be forced to reformat the hard disk, reinstall Windows, and then restore user files using a backup created prior to the infection .
Many organizations have been affected by viruses or worms that entered their private networks through a mobile PC and quickly infected computers throughout the organization. Windows Vista, when connecting to a Windows Server 2008 infrastructure, supports Network Access Protection (NAP) to reduce the risks of connecting unhealthy computers to private networks directly or across a VPN. If a NAP client computer lacks current security updates or virus signatures—or otherwise fails to meet your requirements for computer health—NAP blocks the computer from having unlimited access to your private network. If a computer fails to meet the health requirements, it will be connected to a restricted network to download and install the updates, antivirus signatures, or configuration settings that are required to comply with current health requirements . Within minutes, a potentially vulnerable computer can be updated, have its new health state validated, and then be granted unlimited access to your network.
NAP is not designed to secure a network from malicious users. It is designed to help administrators maintain the health of the computers on the network, which in turn helps maintain the network's overall integrity. For example, if a computer has all the software and configuration settings that the health requirement policy requires, the computer is considered compliant, and it will be granted unlimited access to the network. NAP does not prevent an authorized user with a compliant computer from uploading a malicious program to the network or engaging in other inappropriate behavior.
NAP has three important and distinct aspects:
■ Network policy validation When a user attempts to connect to the network, the computer's health state is validated against the network access policies as defined by the administrator. Administrators can then choose what to do if a computer is not compliant. In a monitoring-only environment, all authorized computers are granted access to the network even if some do not comply with health requirement policies, but the compliance state of each computer is logged. In an isolation environment, computers that comply with the health requirement policies are allowed unlimited access to the network, but computers that do not comply with health requirement policies or are not compatible with NAP are placed on a restricted network. In both environments, administrators can define exceptions to the validation process . NAP also includes migration tools to make it easier for administrators to define exceptions that best suit their network needs .
■ Health requirement policy compliance Administrators can help ensure compliance with health requirement policies by choosing to automatically update noncom-pliant computers with the required updates through management software, such as Microsoft System Center Configuration Manager. In a monitoring-only environment, computers will have access to the network even before they are updated with required software or configuration changes . In an isolation environment, computers that do not comply with health requirement policies have limited access until the software and configuration updates are completed. Again, in both environments, the administrator can define policy exceptions.
■ Limited access for noncompliant computers Administrators can protect network assets by limiting the access of computers that do not comply with health requirement policies . Computers that do not comply will have their network access limited as defined by the administrator. That access can be limited to a restricted network, to a single resource, or to no internal resources at all. If an administrator does not configure health update resources, the limited access will last for the duration of the connection. If an administrator configures health update resources, the limited access will last only until the computer is brought into compliance.
NAP is an extensible platform that provides an infrastructure and an application programming interface (API) set for adding features that verify and remediate a computer's health to comply with health requirement policies . By itself, NAP does not provide features to verify or correct a computer's health. Other features, known as system health agents (SHAs) and system health validators (SHVs), provide automated system health reporting, validation, and remediation. Windows Vista, Windows Server 2008, and Windows 7 include an SHA and an SHV that allow the network administrator to specify health requirements for the services monitored by the Windows Security Center.
When troubleshooting client-side problems related to NAP, open Event Viewer and browse the Applications And Services Logs\Microsoft\Windows\Network Access Protection Event Log. For more information about configuring a NAP infrastructure with Windows Server 2008, read Chapters 14 through 19 of Windows Server 2008 Networking and Network Access Protection by Joseph Davies and Tony Northrup (Microsoft Press, 2008).
Forefront is enterprise security software that provides protection from malware in addition to many other threats . Whereas Windows Defender is designed for consumers and small businesses, Forefront is designed to be deployed and managed efficiently throughout large networks .
Forefront products are designed to provide defense-in-depth by protecting desktops, laptops, and server operating systems. Forefront currently consists of the following products:
■ Microsoft Forefront Client Security (FCS)
■ Microsoft Forefront Security for Exchange Server (formerly called Microsoft Antigen for Exchange)
■ Microsoft Forefront Security for SharePoint (formerly called Antigen for SharePoint)
■ Microsoft Forefront Security for Office Communications Server (formerly called Antigen for Instant Messaging)
■ Microsoft Intelligent Application Gateway (IAG)
■ Microsoft Forefront Threat Management Gateway (TMG)
Of these products, only FCS would be deployed to client computers . The other products typically would be deployed on servers to protect applications, networks, and infrastructure.
Enterprise management of anti-malware software is useful for:
■ Centralized policy management.
■ Alerting and reporting on malware threats in your environment .
■ Comprehensive insight into the security state of your environment, including security update status and up-to-date signatures .
Forefront provides a simple user interface for creating policies that you can distribute automatically to organizational units and security groups by using GPOs. Clients also centrally report their status so that administrators can view the overall status of client security in the enterprise
With Forefront, administrators can view statistics ranging from domain-wide to specific groups of computers or individual computers to understand the impact of specific threats . In other words, if malware does infect computers in your organization, you can easily discover the infection, isolate the affected computers, and then take steps to resolve the problems .
Forefront also provides a client-side user interface . Similar to Windows Defender, Forefront can warn users if an application attempts to make potentially malicious changes, or if it detects known malware attempting to run . The key differences between Defender and Forefront are:
■ Forefront is managed centrally Forefront is designed for use in medium-sized and large networks . Administrators can use the central management console to view a summary of current threats and vulnerabilities, computers that need to be updated, and computers that are currently having security problems. Windows Defender is designed for home computers and small offices only, and threats must be managed on local computers
■ Forefront is highly configurable You can configure automated responses to alerts, and, for example, prevent users from running known malware instead of giving them the opportunity to override a warning as they can do with Windows Defender.
■ Forefront protects against all types of malware Windows Defender is designed to protect against spyware . Forefront protects against spyware, viruses, rootkits, worms, and Trojan horses . If you use Windows Defender, you need another application to protect against the additional threats.
■ Forefront can protect a wider variety of Windows platforms Forefront is designed to protect computers running Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows 7, and Windows Server 2008. Windows Defender can protect only computers running Windows XP, Windows Vista, and Windows 7.
Like Windows Defender, Forefront supports using Microsoft Update and WSUS to distribute updated signatures to client computers, but Forefront also supports using third-party software distribution systems . For more information about Forefront, visit http://www.microsoft.com/forefront/. Also, explore the Microsoft TechNet Virtual Labs at http://technet.microsoft.com/bb499665.aspx.
NOTE Microsoft offers a third client security solution: Windows Live OneCare. Windows Live OneCare is designed to help protect home computers and small businesses with antivirus protection, antispyware protection, improved firewall software, performance monitoring, and backup and restore assistance. For more information, visit http://onecare.live.com/.
Windows 7 is designed to be secure by default, but default settings don't meet everyone's needs . Additionally, the highly secure default settings can cause compatibility problems with applications not written specifically for Windows 7 For these reasons, it's important that you understand the client-security technologies built into Windows 7 and how to configure them.
One of the most significant security features is UAC. By default, both users and administrators are limited to standard user privileges, which reduces the damage that malware could do if it were to start a process successfully in the user context. If an application needs elevated privileges, UAC prompts the user to confirm the request or to provide administrator credentials . Because UAC changes the default privileges for applications, it can cause problems with applications that require administrative rights . To minimize these problems, UAC provides file and registry virtualization that redirects requests for protected resources to user-specific locations that won't impact the entire system
AppLocker provides similar functionality to Software Restriction Policies available in earlier versions of Windows . However, AppLocker's publisher rules provide more flexible control and enable administrators to create a single rule that allows both current and future versions of an application without the risks of a path rule. Additionally, AppLocker includes auditing to enable administrators to identify applications that require rules and to test rules before enforcing them
Microsoft also provides Windows Defender for additional protection from spyware and other potentially unwanted software . Windows Defender uses signature-based and heuristic antispyware detection. If it finds malware on a computer, it gives the user the opportunity to prevent it from installing or to remove it if it is already installed. Windows Defender isn't designed for enterprise use, however. For improved manageability and protection against other forms of malware (including viruses and rootkits), use Forefront or another similar enterprise client-security solution.
These resources contain additional information and tools related to this chapter. ■ Chapter 2, "Security in Windows 7," includes an overview of malware .
■ Chapter 4, "Planning Deployment," includes more information about application compatibility.
■ Chapter 20, "Managing Windows Internet Explorer," includes more information about protecting Internet Explorer.
■ Chapter 23, "Managing Software Updates," includes information about deploying WSUS.
■ Chapter 26, "Configuring Windows Firewall and IPsec," includes more information about Windows Service Hardening.
■ Chapter 29, "Configuring Startup and Troubleshooting Startup Issues," includes information about running System Restore.
■ "Behavioral Modeling of Social Engineering-Based Malicious Software" at http://www.microsoft.com/downloads/details.aspx?FamilyID=e0f27260-58da-40db-8785-689cf6a05c73 includes information about social engineering attacks .
■ "Windows 7 Security Compliance Management Toolkit" at http://go.microsoft.com /fwlink/?LinkId=156033 provides detailed information about how to best configure Windows 7 security for your organization.
■ "Microsoft Security Intelligence Report" at http://www.microsoft.com/downloads /details.aspx?FamilyID=aa6e0660-dc24-4930-affd-e33572ccb91f includes information about trends in the malicious and potentially unwanted software landscape .
■ "Malware Removal Starter Kit" at http://www.microsoft.com/downloads /details.aspx?FamilyID=6cd853ce-f349-4a18-a14f-c99b64adfbea .
■ "Applying the Principle of Least Privilege to User Accounts on Windows XP" at http://technet. microsoft. com/en-us/library/bb456992.aspx.
■ "Fundamental Computer Investigation Guide for Windows" at http://www.microsoft.com /downloads/details.aspx?FamilyId=71B986EC-B3F1-4C14-AC70-EC0EB8ED9D57.
■ "Security Compliance Management Toolkit Series" at http://www.microsoft.com /downloads/details.aspx?FamilyID=5534bee1-3cad-4bf0-b92b-a8e545573a3e.
Was this article helpful?