Oct 31 2006

How To Maintain Network Surveillance And Beat Spywayre

When it comes to prying eyes on your desktop, spyware is bad. But when it comes to keeping track of devices on your network, an extra set of eyes is exactly what you need.

Spyware is the number-one problem the help deks at Harpeth Hall School in Nashville, Tenn., faced this year. We tried using free spyware scanners, but those tools depended on students actually taking the time to run them. We needed a solution that we could push down to clients without requiring end-user action.

For three months last fall, we tested major brands on five notebook PCs that were infected with spyware. We ghosted, or created an image of each drive, to ensure the test environments were identical. The test covered manual and real-time scanning, resource utilization, client control, the administrative interface and installation.

The results for all the brands were very positive. However, Spy Sweeper from Webroot Software was the only one that removed 100 percent of the spyware in the test environment on the first scan. The other tools removed at least 90 percent: They detected the spyware, but were unable to remove some of the very tricky ones that Webroot removed on the first scan.

The Advantages

The Webroot server and client software are easy to install. We use a login script that can determine whether the client is installed and also works with Active Director. Once installed, everything is configured from a Web interface, and we can create custom groups and change policies per group.

The client settings can be configured to be invisible to the user or viewable, with either no user control of changing client settings or full user control of client settings with uninstall privileges. This is handy because it forces students to run their scans and prevents users from uninstalling the client, even if they have administrator rights. Policies can be set to quarantine, ignore or remove spyware that’s found during scans.

The software also contains a feature called Smart Shield, a set of policies that aids in active spyware protection and can be enabled or disabled. This feature blocks spyware from the registry and user home pages and prevents the start of any spyware processes.

In addition, the server specifications are very low, allowing the software to run on low-end hardware. The system requires Microsoft Windows 2000, 2003 or XP Pro, 1 gigahertz central processing unit (CPU), 1 gigabyte of memory and 1GB of disk space.

Although I have contacted Webroot only two or three times in the past seven months, I’ve been pleased with the response. All my questions were answered, and tech support was knowledgeable.

The Disadvantages

The Spy Sweeper product is memory-intensive. Instead of the client using up as much CPU as possible, maxing out the CPU at 100 percent, you can set it at 5 percent to 10 percent. This allows users to go on with their day-to-day activities while a scan is taking place without bringing their notebook PCs to a crawl. It does increase the amount of time the scan takes, but since everything happens in the background and is invisible to the user, this isn’t an issue.

I would prefer a smaller memory footprint because we use tablet computers, which require 10 to 15 extra processes running in the background due to special tablet software. For any application, a smaller memory footprint is a good thing in my book.

Spy Sweeper offers detailed reports, but the Web interface sometimes shuts down. You can export certain data to PDF or Excel files, but this function cuts out sporadically.

The Results

We logged more than 800 instances of spyware in January, the month we installed Spy Sweeper. In May, we had fewer than 25.

In addition, since installing Spy Sweeper, my help desk calls have dropped by more than 60 percent.

Monitoring the Network

As Network Administrator, I manage a growing number of devices, including servers, printers, wireless access points, network switches and other hardware. We use Nagios, an open source monitoring program, to monitor our hosts and services and to inform IT of network problems.

The Advantages

Nagios has no hardware requirements. All you need are a working installation of Linux, a Web server and a graphics draw library.

We can monitor almost anything that responds to Simple Network Management Protocol. At Harpeth Hall, we monitor Hewlett-Packard JetDirect cards to determine paper jams and toner levels; hardware status, such as CPU temperature and system fans; APC battery status, such as battery temperature and running time; Windows server information; and router CPU load. Numerous plug-ins can also be installed.

We monitor the hard drive space on all our servers. If a server’s hard drive gets below a certain threshold, an alert is dispatched. We also monitor network availability on all devices. If the Nagios server cannot contact any network device, we receive an alert. It also monitors the CPU load of servers, network switches and routers.

For organizations that want the full support of a commercial monitoring product, GFI Software also makes a good monitoring product — GFI Network Monitor — which handles 50 devices.

The Disadvantages

The Nagios Web interface isn’t as visually appealing as some of the commercial products. Configuration is a pain, but you only have to do it once. The entire configuration is kept in text files, and you can create a single text file that holds all the configurations for hosts, services, contacts and groups, or you can have one text file for each specific area. I have one text file for all my wireless access points, another for my servers and another for my contacts to receive e-mail notifications. The basic configuration of permissions and the locations of the core components are also in text files.

Installing Nagios does require some knowledge of Linux, but the available documentation is excellent. Since Nagios is an open source tool, there aren’t any product support lines to call, so you must rely on the open source community for troubleshooting. However, I’ve always found the Linux community to be helpful when problems occur.

One of the most time-consuming jobs with this product is adding the devices to be monitored. Each device must be manually added to a “host” text file.

The Results

We separate servers, wireless access points, printers and switches, and we have contact groups for each. A contact group can be one or more people responsible for a certain set of devices.

For instance, when a printer’s JetDirect card has a problem, a technician will receive an e-mail or page noting which printer is having the problem and what the problem is. Settings can allow persistent e-mails until the problem is fixed, or a single e-mail stating the problem and a follow-up saying the problem has been resolved.


Q: How would you describe the spyware problem at your school district?

We’ve finally gotten it under control.

Dealing with spam is still a manual process.

Just when we think it’s licked, something new crops up.


Justin Dover is network administrator at Harpeth Hall School in Nashville, Tenn.