Countering spyware

The InfoWorld Test Center assesses the readiness of 10 anti-spyware operatives for active enterprise duty

Page 2 of 4

Anti-Virus Client Security is a complete anti-virus, anti-spyware, intrusion prevention and detection, and personal firewall system bundled in one tight package. There are a lot of moving parts that make Anti-Virus Client Security work, and they all come together in the F-Secure Policy Manager Console. Installation of the console on my Windows 2003 Server took little time to complete, and the auto-discovery of my client PCs was quick. I pushed out an installation package to a Windows XP Professional PC without a hitch.

Creating a policy for my domain took slightly longer than other products due to odd organization in the Policy Manager. I was constantly jumping back and forth between tabs, trying to make sure I knew what I was selecting. Deploying a policy required clicking on yet another tab and then clicking the Update icon. My issues with the UI are purely personal; all of the options and choices are clearly marked with helpful descriptions. After an hour of working with it, I was more comfortable with the Policy Manager UI, but never at ease.

Because of all of the included features, there are a lot of choices to make when creating a policy. It is with the wealth of choices that Client Security overcomes its UI. One unique feature is the different security levels available in Client Security. Administrators can create one security policy for “office” users, and another for “everywhere else,” each with its own specific security settings. For instance, office users may have the personal firewall feature turned off, whereas a mobile user’s policy may enable the personal firewall when connected at a Wi-Fi hotspot.

With Client Security active and with all features enabled, there were 18 processes listed in Task Manager, consuming at a minimum 55MB of RAM. Unlike CounterSpy Enterprise and Tenebril SpyCatcher, there is no way to throttle up or down Client Security’s CPU usage. Whenever I launched a scan of my client PC, Client Security’s processes took up nearly 80 percent of processor time, greatly reducing system response.

The reporting engine was one of the stronger implementations in the group, coming in just behind McAfee’s system. F-Secure’s Web-enabled reporter worked easily and allowed me to slice and dice the collected data quickly to monitor activity on my network.

Overall, I found the combination of anti-virus and anti-spyware effective at preventing infection and at removing traces if a PC was already infected. The real-time scanner was adept at stripping both virus and malware out of the HTTP stream. With the real-time scanner enabled, I was never able to sneak anything past it.

LANDesk Security Suite 8.6

Long known as an enterprise management company, LANDesk aims to become known as an enterprise security company. Easily one of the most complex and scalable products in this roundup, LANDesk Security Suite 8.6 includes end point security, patch management, and security compliance with very good malware and spyware protection. Real-time protection was above average, blocking most attempts, and reporting was excellent.

Installation on my Windows 2000 Server was straightforward, with the tough part to come. Unlike Sunbelt CounterSpy, getting agents deployed and policy configured took quite some time and a bit of trial and error. By default, Security Suite doesn’t download all of the necessary spyware and malware definitions. I had to create an update task and choose what I wanted to retrieve. Next, I had to define my default Windows configuration, then assign PCs to that configuration. Finally I had to create a task to push this configuration information out to my clients.

I understand why LANDesk is designed the way it is: It’s hugely scalable. By making me define all of those items, it provides a multitude of configuration choices, with different policies and definitions for different workgroups or domains. My biggest knock against the UI is that while the tasks did indicate when a job was active or pending, some jobs took a while to complete, and I often wondered whether things were really happening. A progress indicator might be nice. A pop-up monitor provides some feedback, but it, too, leaves something to be desired.

New to this release of Security Suite is LANDesk’s Trusted Access technology, which helps LANDesk identify and quarantine infected client PCs. It also works with Cisco NAC and other third-party access control systems for better end point management. LANDesk does not include anti-virus protection, but it will manage and make sure Symantec, McAfee, and Trend Micro anti-virus engines are up-to-date.

Real-time protection was better than average, allowing only one piece of adware to slip through and blocking all others. It ran well alongside Norton AntiVirus and behind the Windows XP firewall. When malware is found on a client PC, it -- like Trend Micro Anti-Spyware for Small Business -- takes two passes to clean a system. The first job is to detect the malware; the second is actually to clean it from the PC. To test LANDesk’s cleaning ability, I created a repair task based on the spyware detected on my client, and set it to run at a specific time. Like clockwork, the repair job ran and removed the spyware from my PC. Security Suite uses 17MB of RAM on a client and 20MB with 35 percent CPU utilization during a scan or repair operation.

LANDesk’s reporting system is one of the best available. There are scores of predefined reports, and each one can be customized and saved for reuse later. I like that I can save my reports as HTML, Microsoft Word and Excel, PDF, and even rich text. Reports include categories such as spyware detection, vulnerabilities, and security compliance.

For anyone already familiar with LANDesk Management Suite, the capabilities of LANDesk Security Suite should come as no surprise. Security Suite is a truly enterprise-class management tool with good spyware protection and terrific reporting, but for the untrained it offers a confusing and unintuitive administration interface.

McAfee VirusScan Enterprise 8.0 with Anti-Spyware Enterprise Module 8.0

The latest release of McAfee VirusScan Enterprise sees the addition of Anti-Spyware support bundled tightly with it. Part of the overall McAfee enterprise family of products, VirusScan with the Anti-Spyware module scales to exceptional heights and provides one of the most robust platforms to secure the enterprise. Its real-time virus and anti-spyware protection are only average, but its reporting is the best of the group.

Installation of VirusScan on my Windows 2000 Server went smoothly. VirusScan and the Anti-Spyware module are all managed through McAfee’s ePolicy Orchestrator (ePO). This provides a single console for all of your McAfee enterprise products, and even some non-McAfee products.

Using the Getting Started Wizard, I went through the process of creating a VirusScan deployment task to get agents installed on my Windows XP PCs. Then, I was able to create and update policies based on directory, groups, and PC. Admins have to import AD information into ePO; ePO doesn’t directly support Active Directory.

Policy creation in VirusScan is similar to that in LANDesk Security Suite: easy if you know what you’re doing. After I understood how the policies are nested and what to do, management went from seemingly impossible to just laborious. Also like LANDesk, the number of configurations possible and the true enterprise scalability of ePO means spending some time understanding how everything works together to get the most out of it.

Real-time protection for VirusScan stopped all of the viruses cold but did allow a couple of crafty adware pieces through. Much like the real-time protection in Trend Micro Anti-Spyware for Small and Medium Business, VirusScan waits for a write operation to inspect the file. Although it was able to stop most of the attacks, it didn’t stop them all.

To check VirusScan’s cleaning ability, I created an on-demand scan job and launched it from ePO. The scan located and cleaned the pesky programs and returned the system to a clean state. One nice feature in VirusScan’s cleaning utility is its capability to mark a file for removal later; for instance, during an overnight scan. This feature helps eliminate system hangs during a clean operation or a pesky reboot in the middle of a workday.

VirusScan’s resource usage was on par with most other products, chewing up about 62MB of RAM at rest, and 78MB and 98 percent CPU utilization during a scan-and-clean operation. In fact, one time the system became so unresponsive during a scan that the only way I could regain control was to power-cycle the system.

Where VirusScan Enterprise and Anti-Spyware shine is in the reporting capabilities. Rivaling only LANDesk in comprehensiveness, VirusScan uses Crystal Reports and allows administrators numerous ways to view activity on the network, from top infected machines to current outbreaks. Each report has a wide range of filters that can be applied to further create the specific reports needed. Each report is interactive, allowing an admin to click and drill down for more detailed information.

Enterprise administrators are always looking to eliminate or minimize the number of consoles they have to deal with on a daily basis. VirsuScan Enterprise and Anti-Spyware make excellent use of ePolicy Orchestrator, an awesome management platform. Its real-time protection is weaker than that of some others, but its scanning and cleaning abilities are right near the top. Management is inherently cumbersome due to all of the options available, but the excellent reporting engine makes ongoing monitoring much easier.

Sunbelt CounterSpy Enterprise 1.5

CounterSpy Enterprise 1.5 was one of the easiest products to deploy and configure, with all policy options nicely tabbed and logically laid out. Real-time protection was average, and follow-up scans proved to be effective at wiping any existing traces away. I found the Crystal Reports engine to be just as easy to use, but reports didn’t benefit from Crystal’s drill-down feature.

CounterSpy Enterprise is a pure-play anti-spyware solution that does not include client firewall services or anti-virus protection, although they are planned to follow soon. It does coexist well with the Windows XP firewall and Norton AntiVirus. Installation was straightforward and one of the easiest to complete. I installed the management console on a Windows 2003 Server and easily pushed the agent to my Windows XP Professional clients.

Policy creation is very intuitive and allows for quite a bit of flexibility. After a policy is defined, admins can add computers to it by searching the Active Directory or by viewing PCs in the local workgroup. As the policy attempts to update the selected PC, if the agent isn’t already installed, the Agent Deployment Wizard takes over and walks you through the process.

I like the simplicity of CounterSpy’s policy engine. It isn’t overwhelming, yet it provides enough granularity to meet most needs. For instance, I was able to define different thread priorities and options for quick and deep scans, as well as different run schedules. Each policy allows admins to specify how detected threats are handled, with different choices for real-time and on-demand scans.

Reporting is good, if not overly exciting. CounterSpy uses the Crystal Reports engine, which makes it easy to print and e-mail reports directly from the report viewer. Unlike McAfee ePolicy Orchestrator, CounterSpy doesn’t make full use of Crystal Reports drill-down features to filter displayed data. Also, admins cannot create custom reports; they are limited to the seven reports built into CounterSpy.

The update engine is streamlined and effective in retrieving and distributing new program and definition updates. Updates are retrieved by the management console on a specified schedule, and admins can force an immediate check. Each policy has its own settings for how often to check for updates, as well as an Update Now button.

CounterSpy’s agent installs five services on a client PC, with a small 16MB memory footprint. When a scan starts, however, memory usage swells to over 62MB. Real-time protection, called Active Protection, was much like Trend Micro’s; it allowed the malware to download and start running in memory, where it killed the process before allowing further execution. This process was not always 100 percent successful, and it allowed a couple of adware pop-up applications to launch. By design, Active Protection will stop a process from running, but it relies on a system scan to really remove the threat.

Quick and deep scans proved to be capable of eradicating leftover pieces of malware, with the deep scan checking more locations. On subsequent reboots, I never experienced a reinfection of any malware that slipped through the real-time protection.

CounterSpy Enterprise is one of the most intuitive and configurable anti-spyware products in this roundup. The reporting is good, if not flashy, and if its real-time protection were a bit more proactive, it would be hard not to make CounterSpy the top choice for enterprise anti-spyware protection.

SurfControl Enterprise Protection Suite -- Enterprise Threat Shield

SurfControl Enterprise Protection Suite -- Enterprise Threat Shield blocks not only known malicious software, but also any application defined as unwanted by the organization. Real-time protection was above average, allowing only one piece of adware to sneak through. The reporting engine is browser-based, and the whole system uses MSDE -- or your existing SQL installation -- for its data repository. Mobile users, meanwhile, only have some protection while disconnected.

| 1 2 3 4 Page 2