Countering spyware

The InfoWorld Test Center assesses the readiness of 10 anti-spyware operatives for active enterprise duty

Page 3 of 4

SurfControl Enterprise Threat Shield is part of a suite of applications that cover just about all aspects of enterprise security, including Web content and e-mail filtering. Enterprise Threat Shield does not include anti-virus or firewall capabilities, but I had no trouble using it alongside the Windows firewall and Norton AntiVirus. Installation of the server console on a Windows 2003 Server didn’t prove difficult.

Installation of the client agent was a push process, much like other products reviewed here. In addition to hooking into Active Directory, Threat Shield can also work with Novell NDS and Windows NT 4 domains. Enterprise Threat Shield differs from other products in that instead of pushing a multimegabit application to each client, a small 1.3MB listener application launches with the main detection engine running “hidden” in memory (no process shows in Task Manager). Threat Shield keeps a small list of application signatures in memory and compares active applications against it. When it doesn’t have a match in memory, or needs to confirm a signature with a server, it makes a quick connection to get the data it needs.

This is fine for PCs connected full time to the network, but it fails to completely protect mobile users out of the office. I tested this by first connecting my Windows XP Professional client to the network and installing the agent. I made a full pass of my test URLs to make sure the system was working correctly. I then disconnected the network cable to my Threat Shield server and visited the URLs again. I was surprised to find that while some adware applications were installed, many were still blocked by the resident portion of SurfControl. Even after subsequent reboots, although not at the same level of protection I had while connected, there was some measure of security. SurfControl is working on a more mobile-friendly update due by the end of the year.

Threat Shield is rules-driven. When I understood how to correctly assemble a rule, I found it to be a straightforward process. I simply selected the clients to deploy to, what types of threats to look for, and what actions to take for each detected threat. When this process was completed, I saved the configuration, and it was automatically pushed to the selected PCs. Unlike with McAfee ePolicy Orchestrator, I wasn’t bombarded with configuration choices.

Threat Shield allows administrators to define any application as an unwanted application, which is a feature I like. Through the database manager, admins can add specific applications to a blocked programs list, allowing them to tailor their security to their specific needs.

The reporting system is enterprise-grade, based on IIS and MS SQL, and allows for some customization. There are a number of predefined reports, and I had no trouble adding custom ones. Admins can export reports to PDF, MS Word, and Excel, or print right from the window. The reporting system also allows view-only user access for non-technical users.

Threat Shield doesn’t use any additional system RAM during an on-demand scan, unlike the other solutions. This near-zero footprint is a very welcome sight. Definition updates occur automatically or on-demand.

Enterprise Threat Shield does a good job of protecting enterprise clients. Its reliance on being connected to the management server is a problem, albeit a small one. I like the ultra-small resource footprint, and the browser-accessible reporting engine is nice, but its management interface takes some getting used to.

Tenebril SpyCatcher 4.0 Beta

I reviewed SpyCatcher 3.0 last October, and even though the latest release isn’t quite ready, I wanted to report what’s new and improved in the next incarnation. What I found is a security solution that is more network-friendly, with good protection and remediation, but reporting was minimal. Policy settings covered the basics, but many advanced settings were missing.

SpyCatcher is a point solution that focuses on adware, spyware, and other malicious programs. Unlike F-Secure, NOD32, and McAfee, anti-virus protection is not built in. I had no trouble with Windows XP’s firewall and Norton AntiVirus and SpyCatcher on the same system. I installed SpyCatcher’s administration server on a Windows 2000 Server and used Windows XP Professional clients exclusively.

The browser-based administration UI was well-organized and very easy to navigate. Administrators can use the Network Explorer view to push-install client computers, create reports for one or all clients, and initiate on-demand scans with a single click.

Like the other products tested, SpyCatcher had no trouble enumerating my computers in Active Directory or across other Windows domains. Unique to SpyCatcher is the way it organizes your PCs into predefined groups in the Status Explorer view. I found this especially helpful when trying to identify PCs with out-of-date definitions or that did not have the agent installed.

Policy definition required little effort, due in part to the limited number of choices available. SpyCatcher does break out the various forms of malware into a number of groups, and administrators can define the action to take on detection for each group. For instance, I set SpyCatcher to quarantine everything but cookies, port scanners, and packet sniffers; these SpyCatcher just entered into the alert log. Admins can create multiple policies to meet the security needs of the network.

SpyCatcher’s real-time engine does not block the malware from entering the system; rather, it watches for its behavior when it’s in memory. There it quickly kills the application and keeps it at bay until the next full scan. I saw this process in action, and although it let the process execute, it ended the task almost immediately. In reality, because there is a delay before the application terminates, there is a chance that a malicious program could sneak off with personal information. I would like to see this real-time protection be more proactive and stop the intruder before it is in the front door.

The re porting engine gets the job done, but it has room for improvement. Reports are available in PDF or CSV (comma-separated value) only, and other than choosing a date range and report type, there is no other customization available.

SpyCatcher’s resource usage on a client PC was about average out of all products here, and, like all others, swelled to nearly 60MB and 95 percent CPU utilization while doing a scan. Admins cannot set thread priority during a scan, so make sure scheduled tasks take place after work hours.

SpyCatcher is easy to use and deploy, and it did prove resilient in cleaning spyware from my test systems. Given that this is a beta release, I expect some things, such as lower resource usage, to change before it is generally available. In future releases, I would like to see the real-time protection step up and keep the bad stuff out.

Trend Micro Anti-Spyware for Small and Medium Business 3.0

Trend Micro is one of the top anti-virus companies in the world, so it was a natural progression for the company to put together an anti-spyware product. Through technology obtained through the acquisition of InterMute in May 2005, Trend Micro has assembled what could be one of the better anti-spyware products for the enterprise — when a few kinks are worked out. Real-time protection is only average, but scanning remediation is among the best. Another solution with a browser-based administrative UI, TMAS (Trend Micro Anti-Spyware for Small and Medium Business) was easy to install and configure.

Like CounterSpy Enterprise and CA eTrust PestPatrol, TMAS is an anti-spyware point product -- it does not provide built-in anti-virus services. TMAS worked well alongside my Norton AntiVirus installation and didn’t complain about the Windows XP firewall. I had no trouble installing it on my Windows 2003 Server and pushing installations out to Windows XP Professional clients. The browser-based administration user interface is well-designed, and I found it very easy to navigate.

The network discovery portion of TMAS found all of my Windows domains and correctly listed all member computers. Installation of the TMAS agent was as simple as selecting a client PC from the list and clicking the Install button. A very easy-to-read Desktop Status window showed each client’s vital statistics, such as its status, last contact with the server, and the version of the agent running on it.

Creating various test policies took little time, simply because there weren’t that many choices to be made. Unlike in F-Secure Anti-Virus Client Security, most options are simply on or off. Options such as whether to do a quick scan or deep scan, whether to scan on startup, and if the policy should run on a schedule are all available.

Real-time protection, called Active Application Monitoring, works along the lines of Sunbelt CounterSpy. It doesn’t actively stop the malware from entering the system but allows it to save to disk and execute. Active Application Monitoring watches memory for specific processes, and, when detected, it terminates them before they can continue their dastardly deeds. In theory, this is fine, but as with CounterSpy, I saw a lag time between infection and termination, with one piece going undetected even after a scan and clean.

TMAS uses two small processes to monitor and maintain your client, using only about 21MB of RAM when idle. During a cleaning pass, a third process starts, and total RAM usage goes up to about 64MB, but CPU utilization stays around 50 percent. This is due in part to Trend’s dynamic CPU throttling. It will back off CPU usage when it sees other activity on the system, allowing for midday scans with minimal impact on end-user performance.

The reporting system in TMAS provides the core metrics an administrator would want, but you cannot save or customize any of the reports. For instance, I was not able to specify a date range or domain to view inside a specific report.

Trend Micro Anti-Spyware for Small and Medium Business is a step in the right direction, but the passive real-time protection and mediocre reporting make it less attractive for larger installations. The clean-cut user interface makes configuration and deployment a breeze, and the cleaning engine is up there with the best.

Webroot Spy Sweeper Enterprise 2.5

With the recent release of Spy Sweeper Enterprise 2.5, Webroot has put together a solid yet still easy-to-manage anti-spyware solution. Spy Sweeper scales well, has good real-time protection, and is easy to use and maintain. It does, however, suffer from some of the same problems plaguing other solutions, namely lackluster reporting. Overall, however, it proved to be a well-rounded solution to enterprise anti-spyware security needs.

Spy Sweeper Enterprise does not include anti-virus protection but ran fine alongside my Norton AntiVirus installation and the Windows XP firewall. Installation of the management console on my Windows 2000 Server was as easy as it comes. Client deployment was a little rougher than most other products. Even though Spy Sweeper identified all of my domains and clients, I was not able to push-deploy the agent to an uninstalled client. I believe it was a user name and rights issue, but unfortunately, as of this writing, I was not able to confirm this with Webroot support. Installation via file share using the Spy Sweeper MSI package worked flawlessly.

Defining a policy for Spy Sweeper means deciding which drives and folders to scan, whether to perform additional sweeps of memory and the Registry, and if the agent should pop up or stay hidden during a scan. Each of these items has a check box to enable the end-user to modify the settings, which is nice for power users, but it should be left off (default state) for normal clients.

Real-time protection comes in the way of Smart Shields. These various shields protect the Windows system, Internet Explorer, and Startup locations. A Spy Installation Shield uses known spyware definitions to block processes from running. It also allows administrators to define custom lists of applications they don’t want running on a client; for instance, instant messaging or a p-to-p client . I tested this by adding sol.exe to the custom list, and after letting the policy update, when I tried to launch Solitaire, Spy Sweeper didn’t even let it begin to load. To the end-user, it simply didn’t look like it even tried to launch. This process only works on explicit file names and not CRC (cyclic redundancy check) or MD5 hashes, so it is possible for someone to circumvent this protection if he or she really wanted to.

Real-time protection was better than average, but even Spy Sweeper didn’t stop all of the spyware attacks. It did, however, scan and clean all of the pests that left traces behind, proving to have the best remediation of all apps tested.

The Enterprise Admin Console is at times very intuitive; other times, it’s completely disorganized. As with F-Secure, occasionally I found myself jumping between groups of tasks to manage similar functions. Also, the console is currently Java-based and feels a bit sluggish as a result. Future releases are scheduled to have a Web-based UI to help speed admin chores.

Reporting is good, but there is room for improvement. Admins can choose from predefined templates and create reports based on workstation and group and also filter on date. Graphical reporting is new to Spy Sweeper Enterprise, but customization and reuse of reports is not available.

Overall, Spy Sweeper Enterprise provides all of the necessary parts to the anti-spyware solution. It has excellent real-time protection and remediation and a full slate of options that allows for flexible yet powerful protection. Once the reporting gets up to speed, it will be hard not to choose Spy Sweeper as your enterprise anti-spyware tool.

It’s All About the People

| 1 2 3 4 Page 3