Spyware is a pretty ugly type of malware that spreads through browsers, e-mail, and pretty much any other mechanism users have for installing files. We mentioned earlier the primary way to stop spywaredo not let users run as admins. There are other supplemental measures, however. There are three principles behind spyware and malware protection:
Do not allow the malware to get onto the box.
If the malware should get onto the box, stop it from running.
Should the malware get onto the box and run, stop it from communicating.
The first objective is best served with defensive browsing, anti-malware programs, and controls on attachments. Should the software make it onto the machine anyway, the only way to stop it from running is to use software restriction policies, but they are not foolproof either. Finally, to stop it from communicating, we need firewalls. As mentioned in earlier chapters, most users will not understand host-based outbound filtering firewalls, so you would need to block known malware sites at the router or firewalls. You can obtain lists of these sites from some of the anti-spyware vendors , such as AdAware. Blocking at the firewall will not help traveling machines, however. For them, we recommend using a method that a colleague of ours by the name of Jason Zions told us about. In Appendix C, "HOSTS File to Block Spyware," we include Jason's host file. Jason, being a UNIX guy, used a HOSTS file to resolve all the known spyware sites to a loopback address. In other words, the machine has no way to resolve them to the actual site; effectively black-holing all the spyware sites. Of course, if the spyware sites use IP addresses rather than host names to communicate, this method will not help, nor will it help if they change names or as new ones pop up. Nevertheless, it is a reasonable defense- in-depth measure.