Spyware outbreaks are escalating from a frustrating productivity problem to an outright security issue. All it takes is one
careless user who decides to satisfy his MP3 addiction by downloading a free file-swapping program poisoned with malware.
A backdoor application and keylogger install themselves, and next thing you know, your company’s Web sites have been compromised
and are acting as a file-sharing FTP site, and your domain registrations have been changed to an offshore company.
Whether you call it adware, malware, or spyware, these malicious programs are not only capable of tracking where a user goes
on the Internet, but they’re capturing sensitive information such as user names, passwords, and customer data, such as credit
card information.
Fortunately, vendors are working to provide smarter and better antispyware tools to help protect against these digital sneak
attacks. I recently took ten enterprise antispyware operatives and put them through a series of real-world tests to see how
good they are at intercepting malicious programs and protecting end-users computers and sensitive company information. Participating
companies included: Computer Associates, Eset, F-Secure, LANDesk, McAfee, Sunbelt, SurfControl, Tenebril, Trend Micro, and
Webroot.
Enterprise Ready?
Last year, I reviewed two of the first enterprise-geared anti-spyware apps -- Tenebril SpyCatcher 3.0 Enterprise and CA eTrust PestPatrol Corporate
Edition 5.0 -- and saw just how far products on the market were from being truly enterprise-ready. The latest versions of
both applications are included in this year’s roundup, and I’m happy to say that both -- and just about all of the others
reviewed -- can truly be considered for the enterprise. Deployment, management, and reporting are all easily managed from
centralized consoles, and all of the products scale easily into the thousands of installed seats.
All but one of the products integrates easily and thoroughly with AD (Active Directory), as well as simple workgroups. By
hooking AD, admins can directly access domain PCs and more easily push installations and updates to clients. All of the anti-spyware
products come with centralized reporting, again some better than others. Trend Micro creates very nice looking -- though static
-- HTML reports, whereas LANDesk Security Suite includes one of the most flexible and powerful reporting systems in the roundup.
Agent deployment was one area where the vendors shared a common theme; they all support the push delivery method. Further,
all the products allow for either .exe or .msi distribution via scripting or software distribution tools. An area where the
solutions vary greatly is in how managers interact with installed clients. F-Secure does a great job of allowing an administrator
to view protected PCs and manage policies and definitions, but it doesn’t have a way to start an on-demand scan of a client.
Real Time Makes a Real Difference
Support for real-time protection also varies among vendors. McAfee’s, Trend Micro’s, and Tenebril’s versions allow the malware
to install, but prevent it from executing, thus leaving it installed but neutered until a removal scan is started. Others,
such as Sunbelt CounterSpy, block most malware installs while missing others, and, like Trend Micro, remove existing traces
on next scan. F-Secure did the best job of preventing initial installations, blocking all spyware and malware attacks.
To be fair, the real-time protection offered by all of the products tested is far and away superior to what was available
just a year ago -- and absolutely better than using nothing at all. Real-time protection must achieve the same effectiveness
we expect from our anti-virus protection: it must be capable of blocking the installation from ever occurring. Simply watching
for a process isn’t enough; it needs to be eliminated, either out of the HTTP stream or as it is being installed.
All of these solutions provide scanning and cleaning services both on-demand (aside from F-Secure) and on a schedule, all
from the admin console. Not all client-installed agents allow the end-user to initiate either a scan or clean task. In fact,
the products from Computer Associates, SurfControl, Tenebril, and Trend Micro don’t even show an icon on the system tray or
have a way for an end-user to interact with the agent. Scan and clean events are usually going to be scheduled by the administrator,
but it would be nice to allow users the choice of launching their own scans.
Since my previous review, all of these anti-spyware products have also matured insofar as managing product and definition
updates. All of them centrally manage definition updates, acting as a single distribution source. LANDesk Security Suite 8.6
goes one better by allowing clients in the same subnet or workgroup to download updates in a p-to-p fashion even before looking
to the central server, and Spy Sweeper designates distributors, special Spy Sweeper clients in different subnets, to help
share program and definition updates.
For my tests, I used a list of nine Web sites and URLs that are sources of malware, spyware, and viruses, and all were effective
and convincing in their delivery. Two of the sites actually showed step-by-step how to install the ActiveX control they were
trying to deliver. To make sure I tested each product the same way, I scripted my browsing experience using Macro Scheduler
7.3, by MJT Net. For the products that did not include anti-virus protection, I installed Norton AntiVirus Corporate Edition
7.6 and updated it with the latest definitions. My test PCs and servers were a mix of Windows 2000 Server, Windows XP Pro,
and Windows 2003 Server Standard.
Computer Associates eTrust PestPatrol Anti-Spyware Corporate Edition r5
One of the most established brands in anti-spyware, Computer Associates eTrust PestPatrol comes with an updated detection
engine and a smaller memory footprint. PestPatrol’s Active Protection (the company’s real-time implementation) is very weak,
and reporting is nearly as bad. It does, however, provide good scanning and cleaning capabilities, and its UI is the easiest
to use.
Bottom Line: Computer Associate’s eTrust PestPatrol provides very good detection and removal of installed spyware. Its administrative UI
is easy to install, maintain, and use, but its reporting is very limited. Real-time detection and prevention of initial spyware
installation is very weak: It allows spyware to install but prevents the processes from running.
Platforms: Windows 95 and later, Linux OS Linux (Kernel 2.2.x, 2.4.x and 2.6.x, glibc 2.2.5 or higher); Novell NetWare 4.x and later
Bottom Line: NOD32 Antivirus System has the potential to be a major anti-spyware player with a few enhancements, such as smoother, more
streamlined installation. Policies are flexible but building them is a chore. Reporting is very strong, allowing for many
different views into workstation histories. Detection and prevention is merely average: A small group of spyware slipped through.
Platforms: Server: Windows 2000/XP/2003; client: Windows 2000/XP, F-Secure Policy Manager Console
Bottom Line: F-Secure has rolled anti-virus, anti-spyware, and personal firewall protection into a single package. It has the best real-time
protection of any products in this roundup, stopping all attempts. On previously infected systems, detection and removal were
also first rate. Reporting is excellent, but it suffers from some organizational issues in the administrative UI.
Cost: For 100 users, $5,900 for the first year, $2,900 each year after
Platforms: Server: Windows 2000/2003 Server; client: Windows 95 and later, Mac OS 9.22 and later, HP-UX, IBM AIX 5.1, NetWare 6.0, 6.5,
Red Hat Linux 7.3, 8.0, 9.0, Solaris 8, Suse Linux 9.
Bottom Line: LANDesk Security Suite scales to any size and complements the already strong LANDesk product family. It has very good detection
and remediation, and its real-time protection is above average, although an IE toolbar did slip through. Reporting is top
notch but administrative overhead is considerable.
Cost: For 100 users, $16 per user with 1-year support
Platforms: Server: Windows NT 4 Server, Windows 2000/2003 Server; client: Windows NT 4, Windows 2000/2003/XP
Bottom Line: The addition of Anti-Spyware Enterprise Module to VirusScan Enterprise provides a very scalable platform for protecting your
network from spyware and viruses. Reporting capabilities are excellent, but real-time protection is only average. Administration
is more difficult than that of most of the other products.
Platforms: Server: Windows 2000 and later; client: NT4 SP6a, Windows 98SE and later
Bottom Line: CounterSpy Enterprise was one of the easiest products to install and maintain. Its real-time protection allows spyware to
install before terminating it, but its on-demand detection and remediation is very good. Reporting is good, but not as strong
as that of some others in this roundup.
Cost: For 100 users, $1,530 for a perpetual, one-time purchase. Annual subscription to the Threat Shield databases, $1,874
Platforms: Server: Windows Server 2000/2003; client: Windows 98/ME and later
Bottom Line: SurfControl Enterprise Threat Shield is straightforward to install, and administration isn’t overly complex. Real-time protection
proved better than average. It relies, however, on being connected to a management server, so disconnected users lose some
protection. It has a very small memory footprint, even during an on-demand scan. Its reporting engine is very capable.
Platforms: Server: Windows 2000/XP/20003; client: Windows 2000/XP/2003
Bottom Line: SpyCatcher is an easy-to-deploy-and-administer anti-spyware solution with great detection and remediation. Real-time protection
doesn’t block spyware installations but does stop any process from launching. Reporting is good, but it lacks customization.
Platforms: Server: Windows XP/2000/20003; client: Windows XP/2000/2003
Bottom Line: Anti-Spyware for Small and Medium Business likely will be one of the best anti-spyware products available, once it matures
a little more. Real-time protection allows spyware to install before clamping down on it. On-demand scans and cleans work
well and remove any traces of spyware from a PC. Reporting could be made a little stronger if there were customization options.
Platforms: Server: Windows NT 4.0 and later; client: Windows 98SE and later
Bottom Line: Spy Sweeper is one of the best all-around anti-spyware tools. It offers good real-time protection and excellent detection
and remediation. Spy Sweeper is flexible enough that administrators can easily create policies based on specific needs. Reporting
would be better if it allowed for customizable reports.
» Microsoft: Don't misunderstand UAC, other Vista features
A Microsoft posting attempted to explain the most 'misunderstood' features of Vista: UAC, Image Management, Display Driver Model, Windows Search, and 64-bit architecture
» Top 10: HP-EDS buy, Icahn strikes again, China quakes
This week's roundup of the top IT news stories includes the continuing saga of MS-Yahoo, HP's big buy, Vista's developer problem, 3G iPhone rumors, and more
Virtualization: A Step by Step Approach to Success
Your virtual machines can be up and running in a matter of minutes. HP and Citrix have integrated XenServer with HP ProLiant servers and management tools, powered by hardware-assisted Intel Virtualization Technology to enable high- performance, cost-savings solutions for server consolidation and disaster recovery. Sponsor: HP
The Data Protection You've Been Looking For
Enterprise data is of supreme importance. If you can't find it quickly, it's worthless. If you lose it, it's a crisis. This IT Strategy Guide explores how to keep your data safe.
Protect Your Data with SSL - Discover how to increase customer confidence in your site with the latest solution in SSL, Extended Validation (EV) SSL ...
What's the 411 on GOOG-411? Just as Google has become synonymous with "performing a Web search," 411 is understood to mean "information" -- as in "what's the 411?" I was thus surprised to discover, from a billboard, no less, that the king of search is taking on the ...
Apple HTML source reveals 'iPhone Extreme' "This one's a stretch..." reports AppleInsider.
Um, yeah. Reporting on HTML code sightings of product names could be called a stretch, but iPhone Extreme has a ring to it.
Now, that sounds like the product Apple should have released first, rather ...
Open Sources Product Management
When I joined MySQL four years ago, there was quite a lot of debate about product management. We didn't actually have ...
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...