CA ITM means double trouble for digital invaders

Computer Associates marries anti-spyware with anti-virus

An unfortunate fact of life for the network administrator is that the virus and malware threats are not going away any time soon. In fact if anything, things are only going to get worse. Managing enterprise-wide anti-virus and anti-spyware solutions can be difficult; two applications, two separate points of management. Why not roll both security tools into a common solution?

Computer Associates has done just that with ITM (Integrated Threat Management) r8, a bundling of eTrust AntiVirus and eTrust PestPatrol Anti-Spyware Corporate Edition. ITM allows network admins to create, manage and monitor their virus and malware policy from a single browser-based console. A flexible discovery option helps locate ITM-installed clients and the new graphical reporting engine makes keeping up with pest activity easy. The real-time anti-virus and malware scanning engines did a decent, if not total, job of keeping my test systems malware free. And ITM’s on-demand scanner did an excellent job locating and eradicating the one that slipped through.

I installed ITM’s admin and alert server on a Windows 2003 Small Business Server running all of the latest Microsoft patches. Setup was thankfully uneventful and the system was operational in about 30 minutes. I installed the ITM agent on a handful of Windows XP clients as well as a Windows 2003 Web Server Edition machine using file share. Admins can deploy the agent using traditional software distribution systems or they can push it out to clients using the included remote install utility.

During my evaluation, I used Internet Explorer 6 to view some Web sites that I know attempt drive-by installs on unsuspecting users. ITM successfully prevented various Java- and Win32-based Trojans and other sneaky exploits from ever landing on my test systems. It did allow, however, the Istbar V adware toolbar to install successfully; but this one item was quickly removed once I performed an on-demand scan. I found launching such manual scans to be nearly effortless.

ITM is more than just a bundle of two complementary products. Both tools received updates and enhancements, but eTrust PestPatrol gained the most of the two. Previous releases of PestPatrol forced users into a clunky text-based UI with mediocre reporting and poor real-time protection. The UI now has a much needed overhaul and reporting is comprehensive and graphical.

Whereas eTrust AntiVirus already benefited from a cohesive centralized framework that took care of policy and signature updates, now PestPatrol also rides on top of this framework and takes advantage of incremental program and signature updates. New to this release, incremental anti-spyware definitions and signatures are available from the ITM server or shared from a local redistribution server to save scarce WAN bandwidth. This means that, unlike the previous release, installed systems no longer have to connect individually to CA’s Web site for updates.

The heart of ITM is the policy engine, where CA has done the most work in integrating PestPatrol into the mix. While both anti-virus and anti-spyware are bound together in management, in reality each client agent runs a separate engine for each type of protection. Therefore, each engine gets its own separate set of policies. Common actions, such as alert handling and content updating are handled in their own policy group.

CA’s drop-down pick list makes choosing the appropriate protection engine and subsequent policy section easy and helps eliminate UI fatigue by keeping all policy management in one location. Because I knew exactly which protection engine I was working with, I was able quickly to drill into the settings I needed to modify. I found working with the policy settings in this manner to be intuitive, and it greatly reduced my overall management time.

Once various policies are defined, IT must assign them to the systems they want to protect. ITM’s flexible discovery engine scans the enterprise looking for ITM agent-installed systems, such as servers or client PCs. Because ITM is an enterprise-ready application, it includes an organizational system that allows IT to create groups and subgroups of clients for more efficient management. For instance, I created a main group that contained two subgroups, each representing a different subnet. As I discovered clients, I placed them into the subgroup appropriate for the subnet they were on.

Admins can apply policy at any point in the tree, and lower groups inherit the policies from the groups above them. This allows for one overriding policy to be assigned at the top-most level to make sure all clients have a baseline policy, but lower subgroups can have their own policies assigned to them to meet localized needs, such as defining a local redistribution server or specific exclusions.

Reporting is another area where eTrust Anti-Spyware made great strides in Release 8. Gone are the text-only reports; now admins can choose from more than 70 predefined reports. Most reports have clickable links that either drill down further into some specific in the report or provide additional information. Many of the reports, like virus and pest Top 10, also provide graphs and charts of the malware activity.

Overall, Integrated Threat Management r8 is a major improvement for eTrust PestPatrol Anti-Spyware and an excellent bundle with eTrust AntiVirus. The user interface is clean and intuitive and I like how CA breaks out the policy management for each engine. Reporting also is much improved in this release and the shared download of program and signature updates for both anti-virus and anti-spyware is a welcome addition. Real-time protection is good, but as always, could be a little better, although I have no complaints about on-demand scans and remediation.

InfoWorld Scorecard
Value (10.0%)
Reporting (10.0%)
Setup (10.0%)
Effectiveness (50.0%)
Management (20.0%)
Overall Score (100%)
CA Integrated Threat Management r8 8.0 8.0 9.0 8.0 8.0 8.1