Problem solve Get help with specific problems with your technologies, process and projects.

How to find and remove keyloggers and prevent spyware installation

Keep keyloggers from stealing your users' passwords by learning how to find and remove keyloggers, as well as how to prevent spyware installation in the first place, from IAM expert Randall Gamby.

Using an antimalware scanner, I have identified a considerable amount of local Keylogger activity. Can this be identified/protected against when first detected?

Yes, you can identify and protect against this type of attack, but to do so requires the deployment of a few tools. Scanners fall under the family of Policy Enforcement Points (PEP) technologies. PEPs themselves fall into two categories: sensors and actuators. A scanner is a sensor. It detects when a security policy has been violated (in this case, unauthorized software on a system) but only reports the violation. What you're looking for is an actuator. Actuators also detect security policy violations, but instead of just reporting the issue, they can also execute a remediation activity, like protecting against or removing the keylogger.

For keyloggers at the system level, the best actuator technology is a spyware/keylogger/virus removal tool. However, this assumes you know in advance that you have a keylogger problem. Also, the tool itself may be cost-prohibitive to install on all systems or unavailable for the affected operating system.

At the infrastructure level, the newest technology is Data Loss Prevention (DLP) tools. These tools can detect when unauthorized information attempts to leave the enterprise and then block the outbound transmission. While this doesn't get rid of the keylogger, it does prevent it from sending the information back to the perpetrator of the keylogger software.

One of the most important steps is to prevent spyware from getting to the end users in the first place. To do this, run an enterprise antimalware/antivirus tool at your enterprise's boundary email server (where most of the malicious software enters the organization). If you want to lock down other avenues by which spyware can get to your systems, install software on the end-user systems that locks out thumb drives and other portable media and devices, as these are the second most-used entry point for spyware/viruses. However, before banning thumb drives, be sure to consider the inconvenience it will cause users.

As a final thought, you didn't say what your position is in your organization. I mention this because there are authorized keyloggers as well. Have you verified that the security department hasn't authorized installing keyloggers on some user systems to ensure that only authorized actions are being executed on them? Some organizations use keyloggers as a sensor PEP!

For more information:

  • Get more advice on how to detect keyloggers.
  • What's the best strategy for using antivirus to get rid of spyware? Read more.
This was last published in November 2009

Dig Deeper on Password management and policy

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.