Ask the Expert

How to find and remove keyloggers and prevent spyware installation

Using an antimalware scanner, I have identified a considerable amount of local Keylogger activity. Can this be identified/protected against when first detected?

    Requires Free Membership to View

Yes, you can identify and protect against this type of attack, but to do so requires the deployment of a few tools. Scanners fall under the family of Policy Enforcement Points (PEP) technologies. PEPs themselves fall into two categories: sensors and actuators. A scanner is a sensor. It detects when a security policy has been violated (in this case, unauthorized software on a system) but only reports the violation. What you're looking for is an actuator. Actuators also detect security policy violations, but instead of just reporting the issue, they can also execute a remediation activity, like protecting against or removing the keylogger.

For keyloggers at the system level, the best actuator technology is a spyware/keylogger/virus removal tool. However, this assumes you know in advance that you have a keylogger problem. Also, the tool itself may be cost-prohibitive to install on all systems or unavailable for the affected operating system.

At the infrastructure level, the newest technology is Data Loss Prevention (DLP) tools. These tools can detect when unauthorized information attempts to leave the enterprise and then block the outbound transmission. While this doesn't get rid of the keylogger, it does prevent it from sending the information back to the perpetrator of the keylogger software.

One of the most important steps is to prevent spyware from getting to the end users in the first place. To do this, run an enterprise antimalware/antivirus tool at your enterprise's boundary email server (where most of the malicious software enters the organization). If you want to lock down other avenues by which spyware can get to your systems, install software on the end-user systems that locks out thumb drives and other portable media and devices, as these are the second most-used entry point for spyware/viruses. However, before banning thumb drives, be sure to consider the inconvenience it will cause users.

As a final thought, you didn't say what your position is in your organization. I mention this because there are authorized keyloggers as well. Have you verified that the security department hasn't authorized installing keyloggers on some user systems to ensure that only authorized actions are being executed on them? Some organizations use keyloggers as a sensor PEP!

For more information:

This was first published in November 2009

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: