Countering spyware

Spyware outbreaks are escalating from a frustrating productivity problem to an outright security issue. All it takes is one careless user who decides to satisfy his MP3 addiction by downloading a free file-swapping program poisoned with malware. A backdoor application and keylogger install themselves, and next thing you know, your company’s Web sites have been compromised and are acting as a file-sharing FTP site, and your domain registrations have been changed to an offshore company.

Whether you call it adware, malware, or spyware, these malicious programs are not only capable of tracking where a user goes on the Internet, but they’re capturing sensitive information such as user names, passwords, and customer data, such as credit card information.

Fortunately, vendors are working to provide smarter and better antispyware tools to help protect against these digital sneak attacks. I recently took ten enterprise antispyware operatives and put them through a series of real-world tests to see how good they are at intercepting malicious programs and protecting end-users computers and sensitive company information. Participating companies included: Computer Associates, Eset, F-Secure, LANDesk, McAfee, Sunbelt, SurfControl, Tenebril, Trend Micro, and Webroot.

Enterprise Ready?

Last year, I reviewed two of the first enterprise-geared anti-spyware apps -- Tenebril SpyCatcher 3.0 Enterprise and CA eTrust PestPatrol Corporate Edition 5.0 -- and saw just how far products on the market were from being truly enterprise-ready. The latest versions of both applications are included in this year’s roundup, and I’m happy to say that both -- and just about all of the others reviewed -- can truly be considered for the enterprise. Deployment, management, and reporting are all easily managed from centralized consoles, and all of the products scale easily into the thousands of installed seats.

All but one of the products integrates easily and thoroughly with AD (Active Directory), as well as simple workgroups. By hooking AD, admins can directly access domain PCs and more easily push installations and updates to clients. All of the anti-spyware products come with centralized reporting, again some better than others. Trend Micro creates very nice looking -- though static -- HTML reports, whereas LANDesk Security Suite includes one of the most flexible and powerful reporting systems in the roundup.

Agent deployment was one area where the vendors shared a common theme; they all support the push delivery method. Further, all the products allow for either .exe or .msi distribution via scripting or software distribution tools. An area where the solutions vary greatly is in how managers interact with installed clients. F-Secure does a great job of allowing an administrator to view protected PCs and manage policies and definitions, but it doesn’t have a way to start an on-demand scan of a client.

Real Time Makes a Real Difference

Support for real-time protection also varies among vendors. McAfee’s, Trend Micro’s, and Tenebril’s versions allow the malware to install, but prevent it from executing, thus leaving it installed but neutered until a removal scan is started. Others, such as Sunbelt CounterSpy, block most malware installs while missing others, and, like Trend Micro, remove existing traces on next scan. F-Secure did the best job of preventing initial installations, blocking all spyware and malware attacks.

To be fair, the real-time protection offered by all of the products tested is far and away superior to what was available just a year ago -- and absolutely better than using nothing at all. Real-time protection must achieve the same effectiveness we expect from our anti-virus protection: it must be capable of blocking the installation from ever occurring. Simply watching for a process isn’t enough; it needs to be eliminated, either out of the HTTP stream or as it is being installed.

All of these solutions provide scanning and cleaning services both on-demand (aside from F-Secure) and on a schedule, all from the admin console. Not all client-installed agents allow the end-user to initiate either a scan or clean task. In fact, the products from Computer Associates, SurfControl, Tenebril, and Trend Micro don’t even show an icon on the system tray or have a way for an end-user to interact with the agent. Scan and clean events are usually going to be scheduled by the administrator, but it would be nice to allow users the choice of launching their own scans.

Since my previous review, all of these anti-spyware products have also matured insofar as managing product and definition updates. All of them centrally manage definition updates, acting as a single distribution source. LANDesk Security Suite 8.6 goes one better by allowing clients in the same subnet or workgroup to download updates in a p-to-p fashion even before looking to the central server, and Spy Sweeper designates distributors, special Spy Sweeper clients in different subnets, to help share program and definition updates.

For my tests, I used a list of nine Web sites and URLs that are sources of malware, spyware, and viruses, and all were effective and convincing in their delivery. Two of the sites actually showed step-by-step how to install the ActiveX control they were trying to deliver. To make sure I tested each product the same way, I scripted my browsing experience using Macro Scheduler 7.3, by MJT Net. For the products that did not include anti-virus protection, I installed Norton AntiVirus Corporate Edition 7.6 and updated it with the latest definitions. My test PCs and servers were a mix of Windows 2000 Server, Windows XP Pro, and Windows 2003 Server Standard.

Computer Associates eTrust PestPatrol Anti-Spyware Corporate Edition r5

One of the most established brands in anti-spyware, Computer Associates eTrust PestPatrol comes with an updated detection engine and a smaller memory footprint. PestPatrol’s Active Protection (the company’s real-time implementation) is very weak, and reporting is nearly as bad. It does, however, provide good scanning and cleaning capabilities, and its UI is the easiest to use.

I reviewed CA’s eTrust PestPatrol Anti-Spyware last October, and, on the surface, things are pretty much the same as they were then. Installation proved to be intuitive as well as non-eventful. I was able to push the PestPatrol agent to my client PCs right from the administration console. A command line distribution method is also available for clients for which the admin console doesn’t have local administrative rights or for enterprises that have a software distribution system in place.

The scanning and detection engine has been upgraded for this release. CA changed how PestPatrol scans for and identifies spyware. Now it scans based on a CRC (cyclic redundancy check) signature first, and if it finds a possible hit, it uses an MD5 hash to make sure. The CRC check is very fast, allowing PestPatrol to improve its scanning performance. I liked that I could select multiple clients from across the network and launch an on-demand scan with one click. At scan time, I was able to choose how to handle detected threats and also where to look for them.

PestPatrol really falls behind the other products in this roundup with its real-time scanning. Its Active Protection is comparable to Tenebril SpyCatcher. It doesn’t block malicious content from making its way into the system. Instead, it monitors processes in memory and cookie activity on the client PC. The goal is to stop or slow down malware between scheduled or on-demand scans. With the number of threats in the wild and the growing sophistication of the attacks, Active Protection as it stands just isn’t enough. Computer Associates stated that the next release of PestPatrol will have a more active real-time agent.

Reporting is another area where PestPatrol really misses the mark. Reports are available based on pests or a specific pest, all or selected workstations, and also by date range. The generated report is a text file describing each event; no support for any other format or charts is available. Activity and quarantine log views per machine are available. From here, you purge and archive quarantined malware on a client-by-client basis.

PestPatrol does allow for exclusions based on the included lists of known pests and categories, or admins can add their own files and paths to exclude. This is helpful if you want to make sure some applications -- such as remote control or password-cracking tools -- are never quarantined by mistake. Unfortunately, administrators cannot add their own applications to the pest list for removal.

Overall, PestPatrol is a decent all-around anti-spyware solution. It does have some weaknesses, most of which will be addressed in the next release, but it’s one of the easiest tools to use. The scanning engine did an excellent job of removing any spyware on the system, and the push install made deployment fast and easy.

Eset NOD32 2.5 Antivirus System

Eset, with its NOD32 Antivirus System, is a relatively unknown player in the enterprise anti-spyware game. This suite of security services proved average in detecting and cleaning my malware threats but boasts a full-featured remote-administration console. Although NOD32 has solid technical chops, it does suffer from overly cumbersome installation and disjointed administration.

The core technology of NOD32 is Eset’s ThreatSense detection technology, a single engine that identifies malicious behavior. On top of ThreatSense are five task-specific modules: a file system monitor; a Microsoft document monitor; a Microsoft Outlook monitor; an Internet traffic monitor; and the NOD32 on-demand scanner. The system works well at detecting and handling not only spyware but also viruses. It does not include a personal firewall.

Installing the NOD32 server components on my Windows 2000 Server was not nearly as straightforward as the other products. Documentation was available and helped explain the various installation procedures, including manually creating file shares for the client update service.

Creating an end-user policy was also a little more challenging than even with F-Secure. Another tool, NOD32 Configuration Editor, was required to create an XML configuration file that was then used to define my security policy as I distributed the agent out to my test clients. It would be nice to be able to do all of this from a single UI.

The most useful tool was yet a third application, NOD32 Remote Administrator. This console had by far the most useful UI of the bunch. In fact, Remote Administrator should have all of the afore-mentioned functions for the best all-around administration experience. With Remote Administrator, I was able to manage clients, deploy NOD32 to other PCs, view alerts and reports, and also schedule tasks. Additional client configuration is available through the console as well as update management.

NOD32’s reporting engine was one of the best of those tested, creating charts that were easy to read and understand. I like that I can save custom reports as templates and schedule the templates to run automatically.

NOD32 had one of the smaller memory footprints out of the ten products tested. Even while running a deep scan of my Windows XP Professional client, memory usage only topped out around 33MB -- easily half of the usage of most solutions. During a deep scan of my client, memory usage stayed nearly the same, but CPU utilization did jump up to around 75 percent, which is to be expected during an in-depth analysis.

NOD32 handled most of the malware I threw at it, detecting drive-by virus and other spyware installs as they occurred. It did, however, allow one adware program to drop Internet shortcuts on my desktop, and it also didn’t detect or remove Virtual Bouncer, AdRoar, and AdDestroyer. A subsequent deep on-demand scan also failed to identify and remove the adware.

Eset NOD32 Antivirus System may not be in anyone’s top five list of products to consider, but given a more comprehensive administration UI, it could become a major player in the anti-malicious program market. I like the way Eset integrates the various monitors, and the Remote Administration console nearly makes up for the other rough edges.

F-Secure Anti-Virus Client Security 6

F-Secure Anti-Virus Client Security has one of the best, most comprehensive security bundles available, although it suffers a bit from a disjointed administration user interface. One of three anti-spyware solutions in this review that includes anti-virus capabilities in the same package, Anti-Virus Client Security’s real-time protection stopped all attempts to infect my test clients. Reporting is browser-based and provides ample predefined templates.  Because of its awesome real-time protection and overall performance, Anti-Virus Client Security 6 received the highest score of the ten products reviewed.