At the network edge, providers that deliver CPE-based managed security services are adding anti-spyware. Many already wrap expert provisioning, 24/7 NOC monitoring, threat assessment and incident response around multi-function security appliances from vendors like McAfee, Trend Micro. SonicWALL and WatchGuard. Providers can spin anti-spy ware modules for these and other security appliances into new anti-spyware offerings, accompanied by professional services like spyware remediation.
Phase Three: Rigorous Remediation
Spyware prevention and detection can reduce the need for remediation, but hosts that are already infested with spyware must be cleansed before applying prophylactic measures.
Relatively benign threats like adware cookies and NonBizWare programs can often be removed manually without difficulty. Temporary tiles, browser caches, cookies, and play-by-the-rules programs can be deleted with standard desktop tools like Disk Cleanup and Add/Remove Programs. Unfortunately, removing more tenacious adware, bots and trojans without crippling the host can be very tricky. Malware that morphs to elude detection can affect each host in a slightly different fashion. Rootkits are especially tough to scrub because they replace OS files and use hidden processes.
As a result, malicious spyware removal is not for the faint of heart. Vendor knowledge bases and public forums like CastleCops offer manual spyware removal advice, but most businesses should rely on automated clean-up using desktop antispyware programs. In addition to real-time quarantine, some anti-spyware products include rollback/restore capabilities that can recover critical files over-written by spyware. On Windows XP SP2 hosts, Microsoft's Malicious Software Removal Tool (MSRT) can be used to delete the most prevalent malware.
When spyware removal fails or produces questionable results, rebuilding the desktop can be required for recovery to a trustworthy state. For companies that already maintain standard desktop images and regular data backups, re-imaging may be time-consuming but tolerable. Others may find repeated spyware remediation costly enough to justify investment in the aforementioned practices, reaping benefits beyond spyware relief. Those without previously-saved desktop images may find themselves with little choice but to disconnect the infested host from the Internet, quickly back up critical data to CD, reformat hard disks, and reinstall the operating system and applications from scratch.
Alternatively, some experts recommend browsing the Web from virtual machines (e.g., VMware Workstation. Microsoft Virtual PC). This kind of "sandboxing" can insulate your real operating system, letting spyware damage be undone simply by discarding the compromised virtual machine. Those who routinely use virtual machines for other reasons (e.g., software development and testing) may find this approach very helpful.