Anyway to detect whats been installed?

Soldato
Joined
6 Jan 2006
Posts
3,294
Location
Newcastle upon Tyne
A friend of mine is concerned that one of her employees somehow has access to her emails or computer. There has been too many instances where something has been said in her emails for the employee to then comment on it further. She has changed her password to a very strong one and is changing this weekly as a precaution but I said that there may be some remote software or key logger installed? Is there anyway to check for this? She'd like to avoid a full format if possible but will do it as a last resort.

This particular employees boyfriend works in IT which is making her even more paranoid.

Can anyone suggest anything to check what installed on her PC and if there is anything there shouldnt be on there!
 
Don
Joined
21 Oct 2002
Posts
46,520
Location
Parts Unknown
The other person could have her mailbox added by the guy in IT.

Grounds for immediate dismissal if it hasn't been approved by HR. Speak to HR.
 
Associate
Joined
16 Apr 2007
Posts
2,104
The other person could have her mailbox added by the guy in IT.

Grounds for immediate dismissal if it hasn't been approved by HR. Speak to HR.

This is a possibility.
As for keyloggers and such the good ones will be well hidden but I would think they might be picked up by a virus scan?
 
Soldato
Joined
6 Jan 2006
Posts
3,294
Location
Newcastle upon Tyne
Sorry, I think my comment about the employee's boyfriend working in IT has confused matters! He works in an unconnected IT company but just added that to say that this employee may have the knowledge to do something the average user may not.

Its her own small company without an IT department. They use IMAP for their emails via their webhost.
 
Soldato
Joined
24 Apr 2013
Posts
3,067
Ensure decent AV on machine and sigs updated accordingly. No keylogger will run beyond sig updates of any decent AV out there.

Procmon - https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx
For checking local machine and what's going on there but think anything running locally is unlikely unless she is running unpatched with no AV or something ridiculous. Tick the box though.

Who is their host?
Emails on Smartphone?
IT bloke boyfriend, is he any good? Most likely oversight.

If your friend here is owner of this business she can ask the employee how on earth she is knowledgeable to such and such information when she has not been involved to the degree of knowledge shown.

Again, if your friend here is the business owner how is the other users access to data/hardware/hosted mailbox all managed etc?
 
Soldato
Joined
6 Jan 2006
Posts
3,294
Location
Newcastle upon Tyne
Ensure decent AV on machine and sigs updated accordingly. No keylogger will run beyond sig updates of any decent AV out there.

Procmon - https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx
For checking local machine and what's going on there but think anything running locally is unlikely unless she is running unpatched with no AV or something ridiculous. Tick the box though.

Who is their host?
Emails on Smartphone?
IT bloke boyfriend, is he any good? Most likely oversight.

If your friend here is owner of this business she can ask the employee how on earth she is knowledgeable to such and such information when she has not been involved to the degree of knowledge shown.

Again, if your friend here is the business owner how is the other users access to data/hardware/hosted mailbox all managed etc?

Will check out the link thanks.

Their host is 1&1. Ive told her to switch to tsohost and use O365 for the company emails.

Emails are on her iphone yes.

The employee keeps saying how good her boyfriend is and really pushes to get him in to manage their IT on a part time cash basis but its really not needed. The employee pushing this has made her think that they were trying to get in and install some software on the computers etc.

The network is only tiny, 4 PCs with documents stored in Google Drive. Shes savvy enough not to store her passwords on her PC or online etc.

Wipe the machine and start over. Check for hardware keylogger.

I think thats probably the safest bet. They dont have much to reinstall either.

Could be VNC or anything really.

Yeah I got her to check for anything obvious but nothing jumped out.
 
Soldato
Joined
20 Mar 2006
Posts
8,214
Format it from orbit....only way to be sure.

That is not to say it couldn't be installed again of course.
 
Soldato
Joined
6 Jan 2006
Posts
3,294
Location
Newcastle upon Tyne
Shes a lot more vigilant now about locking her PC if she leaves it so I think it would be difficult for anyone to gain access to it if it was formatted.

Ive advised her to look at the host too to see if someone gains access tothe control panel whether or not they could get access to web mail for different users. Also, there may be something set up via the control panel to allow this employee access to the mail box? Im no familiar with 1&1 to be fair.
 
Man of Honour
Joined
26 Dec 2003
Posts
28,671
Location
Shropshire
Unless you totally encrypt the system disc then anyone with physical access who really wants to get on to her system can.
 
Soldato
Joined
24 Apr 2013
Posts
3,067
Procmon will identify anything running on that machine, so check it out and tick that box, I will assume all clear if AV present. VNC good shout but I'd hope instantly identified even by a quick look on taskmanager.

Ensure via 1&1 who has login creds for anything admin panel-ish and who can gain administrative rights for creation/access to mailboxes hosted there.
Have your friend change all login creds to said 1&1 hosted admin pages as I am guessing this should only solely be her if it is her business.

1&1 I ain't worked with them for years but hopefully will provide login activity log on the account and also 2FA which would be advisable to enable.

Secure the office machine, guess that's done via managing passwords well but same applies to the iPhone.

I think going down the route of it being her business and challenging the employee would be good. If she is the boss then this other person is using her network/google drive/office etc as employee and she should be treated as such!
The boyfriend wanting in to manage their IT does sound sketch but could equally be genuine and paranoia is mostly at play on that front. I wouldn't touch him if there is any hint of doubt in his GF at work though.... Plenty decent IT bods out there to choose for help!!
 
Soldato
Joined
1 Mar 2010
Posts
17,147
Are email folders backed up/archived independently of 1&1 for any disaster ? - in cloud storage say, that could be a security weakness.

Equally the google drive must have some degree of common access - how do they exchange data between one another ? , so that might be a weakness too.
 
Soldato
Joined
17 Nov 2005
Posts
2,930
Location
Swindon, UK
If the email is running on Outlook with an Exchange server, then IT can have access to any email they want.

Obviously this guy is over stepping the mark.

I did this once and felt really stupid and embarrassed by using my 'powers' for wrong.
 
Soldato
Joined
16 Jun 2009
Posts
2,566
Location
Bucks
Meantime, boss can test suspicions by arranging to send a totally fictitious email about relocating to India or something, and see what happens...
 
Last edited:
Top