Countering spyware

The InfoWorld Test Center assesses the readiness of 10 anti-spyware operatives for active enterprise duty

Spyware outbreaks are escalating from a frustrating productivity problem to an outright security issue. All it takes is one careless user who decides to satisfy his MP3 addiction by downloading a free file-swapping program poisoned with malware. A backdoor application and keylogger install themselves, and next thing you know, your company’s Web sites have been compromised and are acting as a file-sharing FTP site, and your domain registrations have been changed to an offshore company.

Whether you call it adware, malware, or spyware, these malicious programs are not only capable of tracking where a user goes on the Internet, but they’re capturing sensitive information such as user names, passwords, and customer data, such as credit card information.

Fortunately, vendors are working to provide smarter and better antispyware tools to help protect against these digital sneak attacks. I recently took ten enterprise antispyware operatives and put them through a series of real-world tests to see how good they are at intercepting malicious programs and protecting end-users computers and sensitive company information. Participating companies included: Computer Associates, Eset, F-Secure, LANDesk, McAfee, Sunbelt, SurfControl, Tenebril, Trend Micro, and Webroot.

Enterprise Ready?

Last year, I reviewed two of the first enterprise-geared anti-spyware apps -- Tenebril SpyCatcher 3.0 Enterprise and CA eTrust PestPatrol Corporate Edition 5.0 -- and saw just how far products on the market were from being truly enterprise-ready. The latest versions of both applications are included in this year’s roundup, and I’m happy to say that both -- and just about all of the others reviewed -- can truly be considered for the enterprise. Deployment, management, and reporting are all easily managed from centralized consoles, and all of the products scale easily into the thousands of installed seats.

All but one of the products integrates easily and thoroughly with AD (Active Directory), as well as simple workgroups. By hooking AD, admins can directly access domain PCs and more easily push installations and updates to clients. All of the anti-spyware products come with centralized reporting, again some better than others. Trend Micro creates very nice looking -- though static -- HTML reports, whereas LANDesk Security Suite includes one of the most flexible and powerful reporting systems in the roundup.

Agent deployment was one area where the vendors shared a common theme; they all support the push delivery method. Further, all the products allow for either .exe or .msi distribution via scripting or software distribution tools. An area where the solutions vary greatly is in how managers interact with installed clients. F-Secure does a great job of allowing an administrator to view protected PCs and manage policies and definitions, but it doesn’t have a way to start an on-demand scan of a client.

Real Time Makes a Real Difference

Support for real-time protection also varies among vendors. McAfee’s, Trend Micro’s, and Tenebril’s versions allow the malware to install, but prevent it from executing, thus leaving it installed but neutered until a removal scan is started. Others, such as Sunbelt CounterSpy, block most malware installs while missing others, and, like Trend Micro, remove existing traces on next scan. F-Secure did the best job of preventing initial installations, blocking all spyware and malware attacks.

To be fair, the real-time protection offered by all of the products tested is far and away superior to what was available just a year ago -- and absolutely better than using nothing at all. Real-time protection must achieve the same effectiveness we expect from our anti-virus protection: it must be capable of blocking the installation from ever occurring. Simply watching for a process isn’t enough; it needs to be eliminated, either out of the HTTP stream or as it is being installed.

All of these solutions provide scanning and cleaning services both on-demand (aside from F-Secure) and on a schedule, all from the admin console. Not all client-installed agents allow the end-user to initiate either a scan or clean task. In fact, the products from Computer Associates, SurfControl, Tenebril, and Trend Micro don’t even show an icon on the system tray or have a way for an end-user to interact with the agent. Scan and clean events are usually going to be scheduled by the administrator, but it would be nice to allow users the choice of launching their own scans.

Since my previous review, all of these anti-spyware products have also matured insofar as managing product and definition updates. All of them centrally manage definition updates, acting as a single distribution source. LANDesk Security Suite 8.6 goes one better by allowing clients in the same subnet or workgroup to download updates in a p-to-p fashion even before looking to the central server, and Spy Sweeper designates distributors, special Spy Sweeper clients in different subnets, to help share program and definition updates.

For my tests, I used a list of nine Web sites and URLs that are sources of malware, spyware, and viruses, and all were effective and convincing in their delivery. Two of the sites actually showed step-by-step how to install the ActiveX control they were trying to deliver. To make sure I tested each product the same way, I scripted my browsing experience using Macro Scheduler 7.3, by MJT Net. For the products that did not include anti-virus protection, I installed Norton AntiVirus Corporate Edition 7.6 and updated it with the latest definitions. My test PCs and servers were a mix of Windows 2000 Server, Windows XP Pro, and Windows 2003 Server Standard.

2005_3600.xml
Click for larger view.

Computer Associates eTrust PestPatrol Anti-Spyware Corporate Edition r5

One of the most established brands in anti-spyware, Computer Associates eTrust PestPatrol comes with an updated detection engine and a smaller memory footprint. PestPatrol’s Active Protection (the company’s real-time implementation) is very weak, and reporting is nearly as bad. It does, however, provide good scanning and cleaning capabilities, and its UI is the easiest to use.

I reviewed CA’s eTrust PestPatrol Anti-Spyware last October, and, on the surface, things are pretty much the same as they were then. Installation proved to be intuitive as well as non-eventful. I was able to push the PestPatrol agent to my client PCs right from the administration console. A command line distribution method is also available for clients for which the admin console doesn’t have local administrative rights or for enterprises that have a software distribution system in place.

The scanning and detection engine has been upgraded for this release. CA changed how PestPatrol scans for and identifies spyware. Now it scans based on a CRC (cyclic redundancy check) signature first, and if it finds a possible hit, it uses an MD5 hash to make sure. The CRC check is very fast, allowing PestPatrol to improve its scanning performance. I liked that I could select multiple clients from across the network and launch an on-demand scan with one click. At scan time, I was able to choose how to handle detected threats and also where to look for them.

PestPatrol really falls behind the other products in this roundup with its real-time scanning. Its Active Protection is comparable to Tenebril SpyCatcher. It doesn’t block malicious content from making its way into the system. Instead, it monitors processes in memory and cookie activity on the client PC. The goal is to stop or slow down malware between scheduled or on-demand scans. With the number of threats in the wild and the growing sophistication of the attacks, Active Protection as it stands just isn’t enough. Computer Associates stated that the next release of PestPatrol will have a more active real-time agent.

Reporting is another area where PestPatrol really misses the mark. Reports are available based on pests or a specific pest, all or selected workstations, and also by date range. The generated report is a text file describing each event; no support for any other format or charts is available. Activity and quarantine log views per machine are available. From here, you purge and archive quarantined malware on a client-by-client basis.

PestPatrol does allow for exclusions based on the included lists of known pests and categories, or admins can add their own files and paths to exclude. This is helpful if you want to make sure some applications -- such as remote control or password-cracking tools -- are never quarantined by mistake. Unfortunately, administrators cannot add their own applications to the pest list for removal.

Overall, PestPatrol is a decent all-around anti-spyware solution. It does have some weaknesses, most of which will be addressed in the next release, but it’s one of the easiest tools to use. The scanning engine did an excellent job of removing any spyware on the system, and the push install made deployment fast and easy.

Eset NOD32 2.5 Antivirus System

Eset, with its NOD32 Antivirus System, is a relatively unknown player in the enterprise anti-spyware game. This suite of security services proved average in detecting and cleaning my malware threats but boasts a full-featured remote-administration console. Although NOD32 has solid technical chops, it does suffer from overly cumbersome installation and disjointed administration.

The core technology of NOD32 is Eset’s ThreatSense detection technology, a single engine that identifies malicious behavior. On top of ThreatSense are five task-specific modules: a file system monitor; a Microsoft document monitor; a Microsoft Outlook monitor; an Internet traffic monitor; and the NOD32 on-demand scanner. The system works well at detecting and handling not only spyware but also viruses. It does not include a personal firewall.

Installing the NOD32 server components on my Windows 2000 Server was not nearly as straightforward as the other products. Documentation was available and helped explain the various installation procedures, including manually creating file shares for the client update service.

Creating an end-user policy was also a little more challenging than even with F-Secure. Another tool, NOD32 Configuration Editor, was required to create an XML configuration file that was then used to define my security policy as I distributed the agent out to my test clients. It would be nice to be able to do all of this from a single UI.

The most useful tool was yet a third application, NOD32 Remote Administrator. This console had by far the most useful UI of the bunch. In fact, Remote Administrator should have all of the afore-mentioned functions for the best all-around administration experience. With Remote Administrator, I was able to manage clients, deploy NOD32 to other PCs, view alerts and reports, and also schedule tasks. Additional client configuration is available through the console as well as update management.

NOD32’s reporting engine was one of the best of those tested, creating charts that were easy to read and understand. I like that I can save custom reports as templates and schedule the templates to run automatically.

NOD32 had one of the smaller memory footprints out of the ten products tested. Even while running a deep scan of my Windows XP Professional client, memory usage only topped out around 33MB -- easily half of the usage of most solutions. During a deep scan of my client, memory usage stayed nearly the same, but CPU utilization did jump up to around 75 percent, which is to be expected during an in-depth analysis.

NOD32 handled most of the malware I threw at it, detecting drive-by virus and other spyware installs as they occurred. It did, however, allow one adware program to drop Internet shortcuts on my desktop, and it also didn’t detect or remove Virtual Bouncer, AdRoar, and AdDestroyer. A subsequent deep on-demand scan also failed to identify and remove the adware.

Eset NOD32 Antivirus System may not be in anyone’s top five list of products to consider, but given a more comprehensive administration UI, it could become a major player in the anti-malicious program market. I like the way Eset integrates the various monitors, and the Remote Administration console nearly makes up for the other rough edges.

F-Secure Anti-Virus Client Security 6

F-Secure Anti-Virus Client Security has one of the best, most comprehensive security bundles available, although it suffers a bit from a disjointed administration user interface. One of three anti-spyware solutions in this review that includes anti-virus capabilities in the same package, Anti-Virus Client Security’s real-time protection stopped all attempts to infect my test clients. Reporting is browser-based and provides ample predefined templates.  Because of its awesome real-time protection and overall performance, Anti-Virus Client Security 6 received the highest score of the ten products reviewed.

Anti-Virus Client Security is a complete anti-virus, anti-spyware, intrusion prevention and detection, and personal firewall system bundled in one tight package. There are a lot of moving parts that make Anti-Virus Client Security work, and they all come together in the F-Secure Policy Manager Console. Installation of the console on my Windows 2003 Server took little time to complete, and the auto-discovery of my client PCs was quick. I pushed out an installation package to a Windows XP Professional PC without a hitch.

Creating a policy for my domain took slightly longer than other products due to odd organization in the Policy Manager. I was constantly jumping back and forth between tabs, trying to make sure I knew what I was selecting. Deploying a policy required clicking on yet another tab and then clicking the Update icon. My issues with the UI are purely personal; all of the options and choices are clearly marked with helpful descriptions. After an hour of working with it, I was more comfortable with the Policy Manager UI, but never at ease.

Because of all of the included features, there are a lot of choices to make when creating a policy. It is with the wealth of choices that Client Security overcomes its UI. One unique feature is the different security levels available in Client Security. Administrators can create one security policy for “office” users, and another for “everywhere else,” each with its own specific security settings. For instance, office users may have the personal firewall feature turned off, whereas a mobile user’s policy may enable the personal firewall when connected at a Wi-Fi hotspot.

With Client Security active and with all features enabled, there were 18 processes listed in Task Manager, consuming at a minimum 55MB of RAM. Unlike CounterSpy Enterprise and Tenebril SpyCatcher, there is no way to throttle up or down Client Security’s CPU usage. Whenever I launched a scan of my client PC, Client Security’s processes took up nearly 80 percent of processor time, greatly reducing system response.

The reporting engine was one of the stronger implementations in the group, coming in just behind McAfee’s system. F-Secure’s Web-enabled reporter worked easily and allowed me to slice and dice the collected data quickly to monitor activity on my network.

Overall, I found the combination of anti-virus and anti-spyware effective at preventing infection and at removing traces if a PC was already infected. The real-time scanner was adept at stripping both virus and malware out of the HTTP stream. With the real-time scanner enabled, I was never able to sneak anything past it.

LANDesk Security Suite 8.6

Long known as an enterprise management company, LANDesk aims to become known as an enterprise security company. Easily one of the most complex and scalable products in this roundup, LANDesk Security Suite 8.6 includes end point security, patch management, and security compliance with very good malware and spyware protection. Real-time protection was above average, blocking most attempts, and reporting was excellent.

Installation on my Windows 2000 Server was straightforward, with the tough part to come. Unlike Sunbelt CounterSpy, getting agents deployed and policy configured took quite some time and a bit of trial and error. By default, Security Suite doesn’t download all of the necessary spyware and malware definitions. I had to create an update task and choose what I wanted to retrieve. Next, I had to define my default Windows configuration, then assign PCs to that configuration. Finally I had to create a task to push this configuration information out to my clients.

I understand why LANDesk is designed the way it is: It’s hugely scalable. By making me define all of those items, it provides a multitude of configuration choices, with different policies and definitions for different workgroups or domains. My biggest knock against the UI is that while the tasks did indicate when a job was active or pending, some jobs took a while to complete, and I often wondered whether things were really happening. A progress indicator might be nice. A pop-up monitor provides some feedback, but it, too, leaves something to be desired.

New to this release of Security Suite is LANDesk’s Trusted Access technology, which helps LANDesk identify and quarantine infected client PCs. It also works with Cisco NAC and other third-party access control systems for better end point management. LANDesk does not include anti-virus protection, but it will manage and make sure Symantec, McAfee, and Trend Micro anti-virus engines are up-to-date.

Real-time protection was better than average, allowing only one piece of adware to slip through and blocking all others. It ran well alongside Norton AntiVirus and behind the Windows XP firewall. When malware is found on a client PC, it -- like Trend Micro Anti-Spyware for Small Business -- takes two passes to clean a system. The first job is to detect the malware; the second is actually to clean it from the PC. To test LANDesk’s cleaning ability, I created a repair task based on the spyware detected on my client, and set it to run at a specific time. Like clockwork, the repair job ran and removed the spyware from my PC. Security Suite uses 17MB of RAM on a client and 20MB with 35 percent CPU utilization during a scan or repair operation.

LANDesk’s reporting system is one of the best available. There are scores of predefined reports, and each one can be customized and saved for reuse later. I like that I can save my reports as HTML, Microsoft Word and Excel, PDF, and even rich text. Reports include categories such as spyware detection, vulnerabilities, and security compliance.

For anyone already familiar with LANDesk Management Suite, the capabilities of LANDesk Security Suite should come as no surprise. Security Suite is a truly enterprise-class management tool with good spyware protection and terrific reporting, but for the untrained it offers a confusing and unintuitive administration interface.

McAfee VirusScan Enterprise 8.0 with Anti-Spyware Enterprise Module 8.0

The latest release of McAfee VirusScan Enterprise sees the addition of Anti-Spyware support bundled tightly with it. Part of the overall McAfee enterprise family of products, VirusScan with the Anti-Spyware module scales to exceptional heights and provides one of the most robust platforms to secure the enterprise. Its real-time virus and anti-spyware protection are only average, but its reporting is the best of the group.

Installation of VirusScan on my Windows 2000 Server went smoothly. VirusScan and the Anti-Spyware module are all managed through McAfee’s ePolicy Orchestrator (ePO). This provides a single console for all of your McAfee enterprise products, and even some non-McAfee products.

Using the Getting Started Wizard, I went through the process of creating a VirusScan deployment task to get agents installed on my Windows XP PCs. Then, I was able to create and update policies based on directory, groups, and PC. Admins have to import AD information into ePO; ePO doesn’t directly support Active Directory.

Policy creation in VirusScan is similar to that in LANDesk Security Suite: easy if you know what you’re doing. After I understood how the policies are nested and what to do, management went from seemingly impossible to just laborious. Also like LANDesk, the number of configurations possible and the true enterprise scalability of ePO means spending some time understanding how everything works together to get the most out of it.

Real-time protection for VirusScan stopped all of the viruses cold but did allow a couple of crafty adware pieces through. Much like the real-time protection in Trend Micro Anti-Spyware for Small and Medium Business, VirusScan waits for a write operation to inspect the file. Although it was able to stop most of the attacks, it didn’t stop them all.

To check VirusScan’s cleaning ability, I created an on-demand scan job and launched it from ePO. The scan located and cleaned the pesky programs and returned the system to a clean state. One nice feature in VirusScan’s cleaning utility is its capability to mark a file for removal later; for instance, during an overnight scan. This feature helps eliminate system hangs during a clean operation or a pesky reboot in the middle of a workday.

VirusScan’s resource usage was on par with most other products, chewing up about 62MB of RAM at rest, and 78MB and 98 percent CPU utilization during a scan-and-clean operation. In fact, one time the system became so unresponsive during a scan that the only way I could regain control was to power-cycle the system.

Where VirusScan Enterprise and Anti-Spyware shine is in the reporting capabilities. Rivaling only LANDesk in comprehensiveness, VirusScan uses Crystal Reports and allows administrators numerous ways to view activity on the network, from top infected machines to current outbreaks. Each report has a wide range of filters that can be applied to further create the specific reports needed. Each report is interactive, allowing an admin to click and drill down for more detailed information.

Enterprise administrators are always looking to eliminate or minimize the number of consoles they have to deal with on a daily basis. VirsuScan Enterprise and Anti-Spyware make excellent use of ePolicy Orchestrator, an awesome management platform. Its real-time protection is weaker than that of some others, but its scanning and cleaning abilities are right near the top. Management is inherently cumbersome due to all of the options available, but the excellent reporting engine makes ongoing monitoring much easier.

Sunbelt CounterSpy Enterprise 1.5

CounterSpy Enterprise 1.5 was one of the easiest products to deploy and configure, with all policy options nicely tabbed and logically laid out. Real-time protection was average, and follow-up scans proved to be effective at wiping any existing traces away. I found the Crystal Reports engine to be just as easy to use, but reports didn’t benefit from Crystal’s drill-down feature.

CounterSpy Enterprise is a pure-play anti-spyware solution that does not include client firewall services or anti-virus protection, although they are planned to follow soon. It does coexist well with the Windows XP firewall and Norton AntiVirus. Installation was straightforward and one of the easiest to complete. I installed the management console on a Windows 2003 Server and easily pushed the agent to my Windows XP Professional clients.

Policy creation is very intuitive and allows for quite a bit of flexibility. After a policy is defined, admins can add computers to it by searching the Active Directory or by viewing PCs in the local workgroup. As the policy attempts to update the selected PC, if the agent isn’t already installed, the Agent Deployment Wizard takes over and walks you through the process.

I like the simplicity of CounterSpy’s policy engine. It isn’t overwhelming, yet it provides enough granularity to meet most needs. For instance, I was able to define different thread priorities and options for quick and deep scans, as well as different run schedules. Each policy allows admins to specify how detected threats are handled, with different choices for real-time and on-demand scans.

Reporting is good, if not overly exciting. CounterSpy uses the Crystal Reports engine, which makes it easy to print and e-mail reports directly from the report viewer. Unlike McAfee ePolicy Orchestrator, CounterSpy doesn’t make full use of Crystal Reports drill-down features to filter displayed data. Also, admins cannot create custom reports; they are limited to the seven reports built into CounterSpy.

The update engine is streamlined and effective in retrieving and distributing new program and definition updates. Updates are retrieved by the management console on a specified schedule, and admins can force an immediate check. Each policy has its own settings for how often to check for updates, as well as an Update Now button.

CounterSpy’s agent installs five services on a client PC, with a small 16MB memory footprint. When a scan starts, however, memory usage swells to over 62MB. Real-time protection, called Active Protection, was much like Trend Micro’s; it allowed the malware to download and start running in memory, where it killed the process before allowing further execution. This process was not always 100 percent successful, and it allowed a couple of adware pop-up applications to launch. By design, Active Protection will stop a process from running, but it relies on a system scan to really remove the threat.

Quick and deep scans proved to be capable of eradicating leftover pieces of malware, with the deep scan checking more locations. On subsequent reboots, I never experienced a reinfection of any malware that slipped through the real-time protection.

CounterSpy Enterprise is one of the most intuitive and configurable anti-spyware products in this roundup. The reporting is good, if not flashy, and if its real-time protection were a bit more proactive, it would be hard not to make CounterSpy the top choice for enterprise anti-spyware protection.

SurfControl Enterprise Protection Suite -- Enterprise Threat Shield

SurfControl Enterprise Protection Suite -- Enterprise Threat Shield blocks not only known malicious software, but also any application defined as unwanted by the organization. Real-time protection was above average, allowing only one piece of adware to sneak through. The reporting engine is browser-based, and the whole system uses MSDE -- or your existing SQL installation -- for its data repository. Mobile users, meanwhile, only have some protection while disconnected.

SurfControl Enterprise Threat Shield is part of a suite of applications that cover just about all aspects of enterprise security, including Web content and e-mail filtering. Enterprise Threat Shield does not include anti-virus or firewall capabilities, but I had no trouble using it alongside the Windows firewall and Norton AntiVirus. Installation of the server console on a Windows 2003 Server didn’t prove difficult.

Installation of the client agent was a push process, much like other products reviewed here. In addition to hooking into Active Directory, Threat Shield can also work with Novell NDS and Windows NT 4 domains. Enterprise Threat Shield differs from other products in that instead of pushing a multimegabit application to each client, a small 1.3MB listener application launches with the main detection engine running “hidden” in memory (no process shows in Task Manager). Threat Shield keeps a small list of application signatures in memory and compares active applications against it. When it doesn’t have a match in memory, or needs to confirm a signature with a server, it makes a quick connection to get the data it needs.

This is fine for PCs connected full time to the network, but it fails to completely protect mobile users out of the office. I tested this by first connecting my Windows XP Professional client to the network and installing the agent. I made a full pass of my test URLs to make sure the system was working correctly. I then disconnected the network cable to my Threat Shield server and visited the URLs again. I was surprised to find that while some adware applications were installed, many were still blocked by the resident portion of SurfControl. Even after subsequent reboots, although not at the same level of protection I had while connected, there was some measure of security. SurfControl is working on a more mobile-friendly update due by the end of the year.

Threat Shield is rules-driven. When I understood how to correctly assemble a rule, I found it to be a straightforward process. I simply selected the clients to deploy to, what types of threats to look for, and what actions to take for each detected threat. When this process was completed, I saved the configuration, and it was automatically pushed to the selected PCs. Unlike with McAfee ePolicy Orchestrator, I wasn’t bombarded with configuration choices.

Threat Shield allows administrators to define any application as an unwanted application, which is a feature I like. Through the database manager, admins can add specific applications to a blocked programs list, allowing them to tailor their security to their specific needs.

The reporting system is enterprise-grade, based on IIS and MS SQL, and allows for some customization. There are a number of predefined reports, and I had no trouble adding custom ones. Admins can export reports to PDF, MS Word, and Excel, or print right from the window. The reporting system also allows view-only user access for non-technical users.

Threat Shield doesn’t use any additional system RAM during an on-demand scan, unlike the other solutions. This near-zero footprint is a very welcome sight. Definition updates occur automatically or on-demand.

Enterprise Threat Shield does a good job of protecting enterprise clients. Its reliance on being connected to the management server is a problem, albeit a small one. I like the ultra-small resource footprint, and the browser-accessible reporting engine is nice, but its management interface takes some getting used to.

Tenebril SpyCatcher 4.0 Beta

I reviewed SpyCatcher 3.0 last October, and even though the latest release isn’t quite ready, I wanted to report what’s new and improved in the next incarnation. What I found is a security solution that is more network-friendly, with good protection and remediation, but reporting was minimal. Policy settings covered the basics, but many advanced settings were missing.

SpyCatcher is a point solution that focuses on adware, spyware, and other malicious programs. Unlike F-Secure, NOD32, and McAfee, anti-virus protection is not built in. I had no trouble with Windows XP’s firewall and Norton AntiVirus and SpyCatcher on the same system. I installed SpyCatcher’s administration server on a Windows 2000 Server and used Windows XP Professional clients exclusively.

The browser-based administration UI was well-organized and very easy to navigate. Administrators can use the Network Explorer view to push-install client computers, create reports for one or all clients, and initiate on-demand scans with a single click.

Like the other products tested, SpyCatcher had no trouble enumerating my computers in Active Directory or across other Windows domains. Unique to SpyCatcher is the way it organizes your PCs into predefined groups in the Status Explorer view. I found this especially helpful when trying to identify PCs with out-of-date definitions or that did not have the agent installed.

Policy definition required little effort, due in part to the limited number of choices available. SpyCatcher does break out the various forms of malware into a number of groups, and administrators can define the action to take on detection for each group. For instance, I set SpyCatcher to quarantine everything but cookies, port scanners, and packet sniffers; these SpyCatcher just entered into the alert log. Admins can create multiple policies to meet the security needs of the network.

SpyCatcher’s real-time engine does not block the malware from entering the system; rather, it watches for its behavior when it’s in memory. There it quickly kills the application and keeps it at bay until the next full scan. I saw this process in action, and although it let the process execute, it ended the task almost immediately. In reality, because there is a delay before the application terminates, there is a chance that a malicious program could sneak off with personal information. I would like to see this real-time protection be more proactive and stop the intruder before it is in the front door.

The re porting engine gets the job done, but it has room for improvement. Reports are available in PDF or CSV (comma-separated value) only, and other than choosing a date range and report type, there is no other customization available.

SpyCatcher’s resource usage on a client PC was about average out of all products here, and, like all others, swelled to nearly 60MB and 95 percent CPU utilization while doing a scan. Admins cannot set thread priority during a scan, so make sure scheduled tasks take place after work hours.

SpyCatcher is easy to use and deploy, and it did prove resilient in cleaning spyware from my test systems. Given that this is a beta release, I expect some things, such as lower resource usage, to change before it is generally available. In future releases, I would like to see the real-time protection step up and keep the bad stuff out.

Trend Micro Anti-Spyware for Small and Medium Business 3.0

Trend Micro is one of the top anti-virus companies in the world, so it was a natural progression for the company to put together an anti-spyware product. Through technology obtained through the acquisition of InterMute in May 2005, Trend Micro has assembled what could be one of the better anti-spyware products for the enterprise — when a few kinks are worked out. Real-time protection is only average, but scanning remediation is among the best. Another solution with a browser-based administrative UI, TMAS (Trend Micro Anti-Spyware for Small and Medium Business) was easy to install and configure.

Like CounterSpy Enterprise and CA eTrust PestPatrol, TMAS is an anti-spyware point product -- it does not provide built-in anti-virus services. TMAS worked well alongside my Norton AntiVirus installation and didn’t complain about the Windows XP firewall. I had no trouble installing it on my Windows 2003 Server and pushing installations out to Windows XP Professional clients. The browser-based administration user interface is well-designed, and I found it very easy to navigate.

The network discovery portion of TMAS found all of my Windows domains and correctly listed all member computers. Installation of the TMAS agent was as simple as selecting a client PC from the list and clicking the Install button. A very easy-to-read Desktop Status window showed each client’s vital statistics, such as its status, last contact with the server, and the version of the agent running on it.

Creating various test policies took little time, simply because there weren’t that many choices to be made. Unlike in F-Secure Anti-Virus Client Security, most options are simply on or off. Options such as whether to do a quick scan or deep scan, whether to scan on startup, and if the policy should run on a schedule are all available.

Real-time protection, called Active Application Monitoring, works along the lines of Sunbelt CounterSpy. It doesn’t actively stop the malware from entering the system but allows it to save to disk and execute. Active Application Monitoring watches memory for specific processes, and, when detected, it terminates them before they can continue their dastardly deeds. In theory, this is fine, but as with CounterSpy, I saw a lag time between infection and termination, with one piece going undetected even after a scan and clean.

TMAS uses two small processes to monitor and maintain your client, using only about 21MB of RAM when idle. During a cleaning pass, a third process starts, and total RAM usage goes up to about 64MB, but CPU utilization stays around 50 percent. This is due in part to Trend’s dynamic CPU throttling. It will back off CPU usage when it sees other activity on the system, allowing for midday scans with minimal impact on end-user performance.

The reporting system in TMAS provides the core metrics an administrator would want, but you cannot save or customize any of the reports. For instance, I was not able to specify a date range or domain to view inside a specific report.

Trend Micro Anti-Spyware for Small and Medium Business is a step in the right direction, but the passive real-time protection and mediocre reporting make it less attractive for larger installations. The clean-cut user interface makes configuration and deployment a breeze, and the cleaning engine is up there with the best.

Webroot Spy Sweeper Enterprise 2.5

With the recent release of Spy Sweeper Enterprise 2.5, Webroot has put together a solid yet still easy-to-manage anti-spyware solution. Spy Sweeper scales well, has good real-time protection, and is easy to use and maintain. It does, however, suffer from some of the same problems plaguing other solutions, namely lackluster reporting. Overall, however, it proved to be a well-rounded solution to enterprise anti-spyware security needs.

Spy Sweeper Enterprise does not include anti-virus protection but ran fine alongside my Norton AntiVirus installation and the Windows XP firewall. Installation of the management console on my Windows 2000 Server was as easy as it comes. Client deployment was a little rougher than most other products. Even though Spy Sweeper identified all of my domains and clients, I was not able to push-deploy the agent to an uninstalled client. I believe it was a user name and rights issue, but unfortunately, as of this writing, I was not able to confirm this with Webroot support. Installation via file share using the Spy Sweeper MSI package worked flawlessly.

Defining a policy for Spy Sweeper means deciding which drives and folders to scan, whether to perform additional sweeps of memory and the Registry, and if the agent should pop up or stay hidden during a scan. Each of these items has a check box to enable the end-user to modify the settings, which is nice for power users, but it should be left off (default state) for normal clients.

Real-time protection comes in the way of Smart Shields. These various shields protect the Windows system, Internet Explorer, and Startup locations. A Spy Installation Shield uses known spyware definitions to block processes from running. It also allows administrators to define custom lists of applications they don’t want running on a client; for instance, instant messaging or a p-to-p client . I tested this by adding sol.exe to the custom list, and after letting the policy update, when I tried to launch Solitaire, Spy Sweeper didn’t even let it begin to load. To the end-user, it simply didn’t look like it even tried to launch. This process only works on explicit file names and not CRC (cyclic redundancy check) or MD5 hashes, so it is possible for someone to circumvent this protection if he or she really wanted to.

Real-time protection was better than average, but even Spy Sweeper didn’t stop all of the spyware attacks. It did, however, scan and clean all of the pests that left traces behind, proving to have the best remediation of all apps tested.

The Enterprise Admin Console is at times very intuitive; other times, it’s completely disorganized. As with F-Secure, occasionally I found myself jumping between groups of tasks to manage similar functions. Also, the console is currently Java-based and feels a bit sluggish as a result. Future releases are scheduled to have a Web-based UI to help speed admin chores.

Reporting is good, but there is room for improvement. Admins can choose from predefined templates and create reports based on workstation and group and also filter on date. Graphical reporting is new to Spy Sweeper Enterprise, but customization and reuse of reports is not available.

Overall, Spy Sweeper Enterprise provides all of the necessary parts to the anti-spyware solution. It has excellent real-time protection and remediation and a full slate of options that allows for flexible yet powerful protection. Once the reporting gets up to speed, it will be hard not to choose Spy Sweeper as your enterprise anti-spyware tool.

It’s All About the People

In the end, a network’s security is only as good as the people who use it. Tools like these will help ease administrator’s jobs some by providing reporting and logging of user activity and the programs they try to run. All the tools in the world, however, will not prevent a user from copying files to a PC or installing an unapproved application. The enterprise must establish an acceptable use policy for the network and enforce it.

Spyware attacks are only going to continue to gain in frequency and cleverness. Unlike viruses, spyware and adware have a financial goal driving them, and you can bet those spyware writers are doing everything they can to access your network. Make sure you make their job even harder.

InfoWorld Scorecard
Value (10.0%)
Setup (10.0%)
Effectiveness (50.0%)
Reporting (10.0%)
Management (20.0%)
Overall Score (100%)
Computer Associates eTrust PestPatrol Anti-Spyware Corporate Edition r5 7.0 9.0 8.0 6.0 7.0 7.6
Eset NOD32 2.5 Antivirus System 7.0 7.0 7.0 9.0 7.0 7.2
F-Secure Anti-Virus Client Security 6 9.0 9.0 10.0 9.0 8.0 9.3
LANDesk Security Suite 8.6 8.0 8.0 9.0 10.0 8.0 8.7
McAfee VirusScan Enterprise 8.0 with Anti-Spyware Enterprise Module 8.0 8.0 8.0 8.0 10.0 8.0 8.2
Sunbelt CounterSpy Enterprise 1.5 9.0 9.0 8.0 9.0 9.0 8.5
SurfControl Enterprise Protection Suite - Enterprise Threat Shield 8.0 9.0 8.0 8.0 9.0 8.3
Tenebril SpyCatcher 4.0 Beta 0.0
Trend Micro Anti-Spyware for Small and Medium Business 3.0 8.0 9.0 8.0 8.0 8.0 8.1
Webroot Spy Sweeper Enterprise 2.5 8.0 9.0 9.0 8.0 9.0 8.8
From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies