Best Method for Preventing Spyware ? Besides Limiting Internet Usage

Here is situation. President of the company has a Windows 7 box that continually has loads of spyware. It gets to the point it creeps, email and internet get "not responding" messages and he becomes frustrated and tells me to "fix it". I usually run Malware Bytes MBAM (free version) and it finds alot of things, clean it up and he is fine for a few days/weeks.

We run a network version of Trend Small Business security that seems to detect and clean fairly well. Seems to be 3 or 4 people who end up with the spyware creep.

Any best method you guys can enlighten me on ?
John BattlesDirector of ITAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Imagine you were able to define what runs on his box. Only those executables that you list will run.
Sounds promising, right? That's the concept of the built-in mechanisms "software restriction policies" (any edition but home) and its successor, applocker (only enterprise or ultimate editions have it).
Besides the usual:

- antivirus
- keep ALL software up to date (not only Windows, also browser/flash/adobe/etc etc etc)

the most important is USER EDUCATION. Curiosity killed the cat, and the computer as well. People are just too curious and gullible and will click on ANYTHING. Some spyware needs SEVERAL mouseclicks to be installed, but like a drone, most users continue and continue.
Explain their lives really don't depend on them clicking EVERYTHING in their sight. Explain READING is also key.
Trust me, an email like this:
subject: invoice
body: please click attachment
attachment (doesn't matter if it's zip, exe, etc etc)

With NO EXTRA text, no signature, no personal information, IT GETS CLICKED ON AND INSTALLED!

Then again, in some companies I work at, sending out weekly emails explaining, they still keep doing it.  The only thing you can do is mitigation, keeping infections in the user space and hopefully keep it the clean up time to a minimum.

When users just don't listen, with ALL the measures you put up, some WILL get through (usually the newest type where antivirus didn't send out virus updates for)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JohnBusiness Consultant (Owner)Commented:
The only REAL way to prevent spyware is common sense. Lack of common sense means wrecked machines.

In addition to the suggestions above about Anti Virus, also look at adding Microsoft EMET to the machine. EMET obfuscates addressing so that spyware gets trapped.

See my article on Windows 8.1 which includes description and use of EMET.

Remember, common sense is the only defense. ALL Antivirus (100%) is rear guard protection AFTER the spyware has struck. That is the way it works.
SolarWinds® IP Control Bundle (IPCB)

Combines SolarWinds IP Address Manager and User Device Tracker to help detect IP conflicts, quickly identify affected systems, and help your team take near instantaneous action. Help improve visibility and enhance reliability with SolarWinds IP Control Bundle.

Also see what a known "winfu master"* (black belt in windows security guy, a top security trainer/consultant) has to say at

So what is my "shields up" defense if not an anti-malware solution and a firewall? Let’s first look at a list of my defensive measures:

No end user administrator rights – This is the most fundamental and important part. Even Microsoft documentation states that if you are running local administrative rights you can’t protect yourself.
Current OS – I’m running a 64-bit version of Windows 8.1 Enterprise that is fully up to date.
Unified Extensible Firmware Interface (UEFI) – I always run hardware that has UEFI and Secure Boot enabled.
Trusted Platform Module (TPM) – I always run hardware that has a TPM, either as a physical chip or as part of the firmware.
BitLocker – I always have hard disk encryption in place.
AppLocker – I only run whitelisted software. You can do this with Windows 8.1 Pro and Software Restriction Policies, but AppLocker in Windows 8.1 Enterprise is easier to administer.
IPsec – I only answer to devices I trust.

* [Sami Laiho is one of the world's best Windows infrastructure trainers. Sami has been an MVP in Windows OS since 2011 and a member of the Microsoft STEP group (group of platinum MVP’s). ]
If your business size can afford it, you may want to look at a web filtering appliance. I understand that you don't want to limit Internet access ( although that would probably solve some of the issue), but some appliances have a AV feature that will keep people away from sites that are known to be infected. So, while he can go pretty much wherever he wants to go, depending on your policies, if he tries to go to a site that is known to be infected he will not be able to; which I can't imagine anyone objecting to.

Also, we use an email filtering system called Mimecast. It does a great job of filtering out spam and infected emails. Also, they have a feature called targeted threat protection.  What this does is to create a redirect link for every link in every email  that comes from the outside. So, when the user clicks on a link one of three things happens. One the link is evaluated as OK and the user is just taken there. Two, the link can't adequately be evaluated or it sort of looks OK and the user is given the option of going there or not. Three, the link is identified as malware and the user is blocked from it. There are some ways around it, but assuming the user really is concerned about security at least to some extent, these two items should help immensely without hampering his access.

Personally, your company needs to develop policies and procedures for limiting this kind of access and stick to it along with, as has already been mentioned, user education.
William FulksSystems Analyst & WebmasterCommented:
Does he have admin rights to the machine? If so, taking those away may help a little though most malware/spyware circumvents those rights.

However, there is no guaranteed way to block everything. It really comes down to user training. If you get somebody that clicks on any old thing, they are going to continually have problems.
David AndersTechnician Commented:   is simple, free, and a decent replacement for siteadvisor.  It warns, but does not prevent visiting known bad websites.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.