McAfee, Omniquad top anti-spyware test

To find which anti-spyware product is best for your corporate network, we tested 18 products from 16 vendors, and we also looked at the beta version of Microsoft's Windows AntiSpyware tool.

Spyware can kill your business quicker than spam or viruses . Spam eats bandwidth and productivity (as you spend time deleting in-basket items). Viruses delete files, throw egotistical messages on your screen and use your address book as a springboard for perpetuating themselves across the network.


How we did it

NetResults: Anti-spyware software

NetResults: Anti-spyware gateways

Archive of Network World tests

Subscribe to the Network Product Test Results newsletter


But spyware insidiously logs your keystrokes, rifles through your files for password and credit card data, peppers your screen with ads and slows your PCs to a crawl.

To find which anti-spyware product is best for your corporate network, we invited about 30 vendors to submit products to our lab for testing. We received 18 products from 16 vendors (see box), and we also looked at the beta version of Microsoft's Windows AntiSpyware tool.

Identifying and removing spyware (either at the desktop or preventing at the gateway) was our most important criteria. We also looked for useful reports, timely alerts and easy deployment and usability. Protecting our network from users who roam the Internet too freely, or who bring unapproved software into the office, was our main goal.

What we tested

We evaluated Aladdin Knowledge Systems' eSafe Version 5, Blue Coat Systems' Spyware Interceptor, Computer Associates' eTrust PestPatrol Corporate Edition v5, Fortinet's FortiClient Host Security 2.0, FSecure's Anti-Virus Client Security 6.0, Lavasoft AB's Ad-Aware Professional, McAfee's Anti-Spyware Enterprise 8.0i and Secure Content Management Appliance 4.0 (Secure Web Gateway model 3300), Panda Software's EnterpriSecure with TruPrevent Technology, Ashanti PLC LTD's Spyware Defense V1.3, Sunbelt Software's CounterSpy Enterprise Version 1.5, SurfControl's Enterprise Threat Shield, Tangent's Packet Hawk Version 2.0, Omniquad's Omniquad AntiSpy Enterprise Version 3.3, Trend Micro's InterScan Anti-Spyware Suite and OfficeScan Anti-Spyware Suite, Webroot Software's Spy Sweeper Enterprise 2.1 and Websense's WebSense Web Security Suite-Lockdown Edition.

We gave separate awards for the gateway and the client/server approaches. McAfee's Secure Web Gateway wins a Clear Choice award for keeping spyware from entering our network (see Net Results for anti-spyware gateway products). The Secure Web Gateway thwarted 90% of the spyware in our tests, has an intuitive user interface and was child's play to install. On the client or server, Omniquad's Omniquad AntiSpy Enterprise wins Clear Choice award. (see Net Results ) These products had high spyware detection success rates, easy-to-navigate user interfaces and useful reports.

Gateway defenses

Stopping spyware via gateways at each Internet connection point is clearly superior to cleaning it from individual server and desktop computers. A gateway is easier to administer, users can't fool with it and desktop machines and servers don't have to shoulder the extra burden of detecting and removing spyware. As long as a gateway filters every single crumb of spyware and users do not bring freeware or shareware software into the office, the gateway approach is an ideal anti-spyware solution.

Two products we tested, Blue Coat's Spyware Interceptor and McAfee's Secure Web Gateway, are network appliances that filter traffic to and from the Internet. Each installs between an Internet router and its switch or hub, and each filters spyware before it reaches the desktop. Two software products, Aladdin's eSafe and Trend Micro's InterScan Anti-Spyware Suite, turn dual-network interface card (NIC) computers into gateways. One NIC connects to the Internet while the other connects to the local network. The software filters the traffic flowing between the two network adapters.

The McAfee appliance stopped an impressive 90% of the spyware in our tests. The appliance, a hefty 1U rack-mounted Dell PowerEdge 1850 pre-loaded with Windows, anti-spyware filtering software and browser-accessible administration tools, is one of McAfee's Secure Content Management Appliance 4.0 products. Secure Web Gateway gave us URL filtering, Internet Content Adaptation Protocol support and an easy-to-navigate user interface. It also can send SNMP alerts (for example, to HP OpenView or other frameworks). Installation was as simple as connecting the box to a router and switch, powering it up and assigning an IP address.

Blue Coat's Spyware Interceptor thwarted 82% of our incoming spyware. Spyware Interceptor is a 1U rack-mounted device containing on-chip logic for stopping spyware. The vendor targets Interceptor at networks of up to 1,000 users. Spyware Interceptor uses what Blue Coat calls its Spyware Catching Object Protection Engine to intercept, analyze and halt over-the-wire executable malware. This gateway-based engine blocks known spyware site URLs, outbound connections to known spyware sites (such as from a spyware-infected client), "drive-by" (unsolicited) executable file downloads and known spyware files. Remarkably, Spyware Interceptor allowed access to non-executable portions of spyware sites, which meant we saw the spyware site without worrying about infection. It doesn't support SNMP alerts. Blue Coat also sent us a copy of WinProxy Secure Site 6.0, a software-based gateway product that blocks spyware via its anti-virus and URL filtering features. WinProxy is intended for smaller networks.

Aladdin's eSafe turned aside 88% of the spyware in our tests. Using a five-pronged approach to identify spyware, it inspects vendor ActiveX digital signatures, looks for attempts to exploit security holes, matches executable signatures to those of known spyware, notes references to known spyware Web sites (via URL or IP address) and detects attempts by spyware to communicate with spyware sites. ESafe not only prevents the installation of unsolicited software on PCs, it points out to administrators those already-infected PCs that are trying to send data back to spyware vendors. Its comprehensive and detailed log file tells what spyware was blocked, what spyware technique was used and what Web site it came from. ESafe's user interface is thoughtfully designed, and it integrates with a network management system via syslog entries or SNMP alerts.

Trend Micro's OfficeScan Anti-Spyware Suite and InterScan Anti-Spyware Suite are a matched pair. InterScan, acting as the first line of defense against spyware, is gateway software that is installed on a dual-NIC PC sitting at an Internet connection point. In contrast, OfficeScan is a client/server anti-spyware tool that runs on desktop and server PCs and that has a central browser-accessible management console. Together, InterScan and OfficeScan foiled 86% of spyware in our tests. Trend Micro uses a signature file to identify spyware.

How to identify spyware

Anti-spyware products identify spyware by recognizing executable files, by noting that a PC is attempting to access a known spyware Internet site or by detecting that a computer program is making inappropriate changes to the Windows registry. Vendors find themselves "chasing" spyware by reacting to new spyware instances and new spyware behaviors as they emerge. We'd like to see anti-spyware vendors take a pre-emptive approach that allows better than 90% success at catching spyware.

InterScan contains two components: InterScan Web Security Suite and Trend Micro Damage Cleanup Services. Together, these block inbound spyware from known spyware sites, block outbound transmissions by spyware, block the browsing of known spyware sites and even detect spyware-infected servers and clients. Automatically and without installing a permanent agent, InterScan sends Damage Cleanup Services software to the infected machine for quick removal of the miscreant. InterScan can send SNMP alerts for events such as service start-up/shutdown, signature file update and spyware blocked, while OfficeScan can send an SNMP alert each time it thwarts a spyware installation attempt. Both InterScan and OfficeScan integrate with Cisco routers on which Network Admission Control is enabled.

OfficeScan has a Windows-based run-time component that detects and blocks spyware on Windows servers and clients, and Trend Micro includes ServerProtect for Novell NetWare and ServerProtect for Linux to block spyware on non-Windows machines. OfficeScan's Damage Cleanup Services component removes most spyware residue from clients and renders the spyware inactive. The OfficeScan central browser-accessed console is simple and straightforward to use. InterScan and OfficeScan record considerable detail about each spyware instance encountered and can present that data in a variety of helpful reports.

Client/server systems

Stopping spyware at the gateway might not be enough, especially if users bring freeware or shareware into the office. You might need to run an anti-spyware tool directly on client PCs and servers. Also note that using both gateway and client/server products can potentially increase your success rate at avoiding spyware.

WebSense Web Security Suite-Lockdown Edition squashed 88% of our test spyware. It distinguishes spyware by Secure Hash Algorithm-based signatures, computer program name, URL and IP address access. Web Security Suite-Lockdown also detects infected PCs by noting - and blocking - attempts by spyware to send information back to a known spyware URL or IP address. It also can thwart peer-to-peer file sharing, such as is commonly used by music download services. Clients use about 12M bytes of RAM and leave no residue following a spyware removal operation. An administrator can configure Web Security Suite-Lockdown to prevent the installation of any executable files on a PC, thus giving some assurance that the PC will run only approved software. It doesn't yet integrate via SNMP with a network management system.

Using a signature file to spot spyware, Omniquad's Omniquad AntiSpy Enterprise eliminated 86% of our test spyware. Omniquad AntiSpy Enterprise's central console offers both quick scans and complete scans. Quick scans, which look at running processes and other readily accessed system data, take seconds to run. Complete scans, which additionally search for spyware files and inspect the Windows registry, can take a few minutes. Client agents can be left resident in memory, where they catch spyware in real time. Ominquad AntiSpy Enterprise deploys client agents easily and automatically from the central console. The console component stores configuration and policy data in Active Directory, and it can emit SNMP alerts when spyware events occur. Omniquad AntiSpy Enterprise removed all spyware residue, including files and registry entries, in our tests.

Sunbelt Software's CounterSpy Enterprise aced 86% of the spyware we threw at it. It recognizes spyware via its file of MD5 hash signatures as well as what Sunbelt calls Active Protection - the detection of changes to the registry, system files and system start-up list. Each CounterSpy Enterprise agent's memory footprint is about 15M bytes. Because Sunbelt established a business relationship with Giant Company Software, now owned by Microsoft, Sunbelt gets the same spyware definitions that Microsoft uses in its new Windows AntiSpyware tool. With its Crystal Reports run-time module, CounterSpy Enterprise produces detailed, helpful reports organized by client, by spyware instance or by date range. It left no spyware residue in our tests, and its central console has an intuitively easy-to-use interface. CounterSpy Enterprise, however, doesn't do SNMP alerts.

Webroot Software's Spy Sweeper Enterprise cleaned up 85% of our test spyware. It uses a signature file plus the detection of file, memory and registry alterations to recognize spyware. The central console's user interface is especially well designed and easy to navigate. Client agent memory usage is about 12M bytes, and each client logs spyware events on the client in addition to sending event notifications to the server. Spy Sweeper Enterprise left some harmless data file residue in our tests. The Spy Sweeper Enterprise server consists of administrative console, database, spyware definition updater and client agent manager, with each component able to run on separate computers for the sake of scalability. It doesn't yet transmit SNMP alerts.

The Microsoft factor

Microsoft obtained Windows AntiSpyware, which is still in beta test, when it purchased Giant Company Software. Windows AntiSpyware detected 80% of our test spyware. When it finds spyware, Windows AntiSpyware presents the administrator with a list of threats found, details about each threat and recommendations for resolving each threat. At the administrator's behest, Windows AntiSpyware removes every vestige of a spyware instance. Like Omniquad AntiSpy Enterprise, Windows AntiSpyware can do a quick or full scan. Microsoft says the product will have a central console in the future. The Windows AntiSpyware beta test period is to conclude by year-end.

SurfControl Enterprise Threat Shield disabled 82% of the test spyware. Threat Shield's central console automatically deploys client agents down to PCs, and each agent refers to the central console's spyware definition database to validate incoming executable files. The spyware definitions are the signatures of known malware. The central console gives administrators a drag-and-drop visual environment for applying anti-spyware policies to individual PCs or a named group of PCs. Each policy consists of elements such as executable file signatures or wild-card-based range of system file names. The administrator chooses the action to take when a spyware event occurs, from deleting the culprit to notifying the administrator. Threat Shield's reports, which are easily customized, show views based on trends, violations or aggregate spyware activity. An administrator can choose to export report data as Adobe Acrobat PDF, Microsoft Word or Excel files. Threat Shield is especially frugal with client memory. Depending on the policies and spyware definition file used by a client, the agent takes up 220K to 750K bytes. Threat Shield left a small amount of residue - a couple of harmless data files - after some spyware removal actions. It doesn't emit SNMP alerts.

Running on Internet-connected servers and clients, Computer Associates' eTrust PestPatrol rid our computers of 82% of the test spyware. ETrust PestPatrol's automatic installation of agents onto desktops worked flawlessly and quickly. Through the well-designed central console, we easily launched scans on demand, at times we scheduled or when users logged on to the network. When an eTrust PestPatrol agent discovered spyware, it generated an alert on the central console, logged the event and let us remove the spyware with a mouse click. ETrust PestPatrol recognizes spyware via a signature file and by URL/IP address. It fastidiously removed every vestige of spyware residue, including registry entries. ETrust PestPatrol's reports can be grouped by user, by date/time or by spyware instance name. ETrust PestPatrol uses about 20M bytes of RAM on each protected computer if its Active Protection feature is enabled. It doesn't send SNMP alerts.

Tangent's Packet Hawk is a network appliance, but it's not a gateway. Rather, it contains a management console and client/server anti-spyware agents that it automatically distributes across a Windows-based network. In our tests, it recognized and discarded 81% of the test spyware. The unit is a 1U rack-mounted computer pre-loaded with Windows and the Packet Hawk software. Installation consists of connecting the unit to a switch or hub, powering it up, giving it an IP address and, in an Active Directory environment, setting up a domain account the device can use to log onto the network. The setup process is well documented, but Tangent offers new customers Quick Start free remote setup support. On desktop PCs or servers, Packet Hawk's scans automatically find, remove and block spyware, adware, pop-ups, malware, games, instant messaging clients and peer-to-peer tools. The console's user interface is simple and incorporates numerous wizards for stepping through configuration tasks such as scheduling updates. Packet Hawk doesn't emit SNMP alerts. Tangent targets various models of Packet Hawk at networks of 100 to 5,000 clients.

F-Secure's Anti-Virus Client Security is based on Lavasoft's Ad-Aware product. It zapped 78% of our test spyware and did an excellent job of removing every trace of spyware residue, including files, registry entries and system start-up list entries. It is painless to install and deploy, easy to use and tracks useful details about spyware intrusion attempts, such as list of spyware files, spyware name and classification, removal actions taken, date, time and file path. Anti-Virus Client Security recognizes spyware via signature, Windows registry keys, start-up list entries, file association changes and application hijacking efforts. Its memory footprint is 47M bytes, and Anti-Virus Client Security can send SNMP alerts to a network management system such as HP OpenView.

Like its close cousin, Anti-Virus Client Security, Lavasoft AB's Ad-Aware SE Enterprise 2005 Edition successfully detected and eliminated 78% of the test spyware. Ad-Aware uses signatures, registry alteration attempts and references to known spyware URLs/IP addresses to identify spyware, and it even has a useful facility for adding entries to the spyware URL/IP address list that we used to single out malware sites we discovered. Using Ad-Aware's central console, called Ad-Axis, we could automatically distribute Ad-Aware clients across our network, without having to visit remote sites, and scheduling spyware scans is easy with Ad-Aware's no-nonsense user interface. Less useful is Ad-Aware's Process-Watch component, which, like Windows Task Manager, shows currently running processes and lets you stop them. With features such as viewing or saving memory images in hexadecimal display format, Process-Watch is too technical for the average business user. Ad-Aware doesn't transmit SNMP alerts.

Panda Software's EnterpriSecure with TruPrevent Technology gave 78% of our test spyware the boot. Like Anti-Spyware Enterprise, Panda's EnterpriSecure is primarily an anti-spyware tool integrated with an anti-virus product. Panda supplies its anti-spyware module as part of a collection of anti-virus products for specific environments, such as Samba, Exchange, Domino, Sendmail, Qmail and file servers. TruPrevent Technology identifies spyware via signatures and what Panda terms "heuristic scans and behavior analysis" - examining an executable file for embedded known spyware URLs and IP addresses and monitoring a program's execution for registry, file or system modification. EnterpriSecure's central console gives administrators full control of anti-spyware and anti-virus scanning and agent deployment. The EnterpriSecure reports were useful, but we wished they contained more detail about spyware removal events. EnterpriSecure uses from 30M to 40M bytes of RAM, depending on how many of its options you enable. It leaves no spyware residue after a removal effort, and while it doesn't emit SNMP alerts, EnterpriSecure can respond to SQL requests with removal event information if you don't mind doing a little custom programming in, say, Visual Basic.

Fortinet's FortiClient Host Security is an anti-virus and anti-spyware personal firewall. It can act as an IPSec VPN client, and the firewall implements Network Address Translation. FortiClient killed 78% of the spyware in our tests. To detect malware, FortiClient monitors the registry for alterations, notes unwanted additions to the Windows start-up list and matches incoming over-the-wire executable files against a signature file. It offers centralized policy management, and the central console can automatically deploy FortiClient agents across a network of Windows-based machines. Pre-configuring and distributing agents took just a few moments to accomplish. FortiClient consumes 20M to 35M bytes of RAM. Turning on all options (anti-virus, firewall, signature recognition and registry/start-up list monitoring) sets the high water mark. FortiClient leaves no spyware residue on protected machines. It doesn't emit SNMP alerts.

McAfee's Anti-Spyware Enterprise did away with 76% of our test spyware. It and VirusScan Enterprise are a matched set, with Anti-Spyware Enterprise adding registry scanning, file scanning, memory process scanning and spyware removal to the VirusScan Enterprise anti-virus agent. The combined agent uses only about 10M bytes of RAM. McAfee's ePolicy Orchestrator provides the central console for both VirusScan Enterprise and Anti-Spyware Enterprise. The anti-spyware component knows spyware (what McAfee euphemistically terms Potentially Unwanted Programs, or PUPs) by signature and by suspicious registry, file and memory modifications. Anti-Spyware Enterprise removed all our test spyware executable files, but did leave the occasional harmless .dat file or registry entry on our clients. Deploying agents across a Windows-based network is automatic and quick, and the ePolicy Orchestrator central console produces a wealth of detailed, graphical reports. EPolicy Orchestrator can send SNMP alerts.

Ashanti's Spyware Defense fared the worst in our spyware removal tests, detecting only 72% of the spyware. Moreover, it forced us to visit each client to manually install its agents, and its spyware definition updates also were entirely manual. SpywareDefense identifies spyware by file name, directory path or wild-card filename mask. Clients consume about 22M bytes of RAM, and Spyware Defense does not emit SNMP alerts. It does have a central console for initiating client scans and requesting spyware definition downloads. Spyware Defense left no residue behind after our tests.

Conclusion

We recommend taking a close look at McAfee's Secure Web Gateway, which excels at keeping spyware from getting onto the network in the first place. If you need the additional security of anti-spyware running directly on the desktop or on a server, Omniquad's Omniquad AntiSpy Enterprise or WebSense's Web Security Suite-Lockdown Edition are likely just what the doctor ordered.

Accuracy, classification and updates
ProductSuccess RateSpyware instances recognized *Update frequency **  
Secure Content Management Appliance 4.0 (Secure Web Gateway model 3300)90%Uses malware detection scheme plus signatures to block spyware proactively.Daily
ESafe version 588%Uses malware detection scheme plus signatures to block spyware proactively.On average, three times a week
WebSense Web Security Suite-Lockdown Edition88%24,000 spyware instances, plus over 119,000 spyware-associated Web sitesDaily
CounterSpy Enterprise Version 1.586%75,492 traces and approximately 7,531 threatsAt least once a week but usually twice a week
InterScan Anti-Spyware Suite86%More than 32,000Hourly
OfficeScan Anti-Spyware Suite86%More than 32,000Hourly
Omniquad AntiSpy Enterprise Version 3.386%55,010Daily
Spy Sweeper Enterprise 2.185%100,087Twice weekly
eTrust PestPatrol Corporate Edition v582%27,902 unique variantsAt least once weekly
Spyware Interceptor82%6,980 spyware sources (inbound URLs) and 5,530 spyware effects (outbound URLs). 2,358 spyware IP addresses, 4,240 unique spyware instances.At least six times a day
SurfControl Enterprise Threat Shield82%Over 12,000 unique spyware files, over 25,000 games, over 1,200 P2P files and over 850 instant messaging files.At least weekly
Packet Hawk Version 2.081%22,000Weekly
Microsoft AntiSpyware80%ConfidentialUser-settable
Ad-Aware Professional78%41,785On start-up
Anti-Virus Client Security 6.078%35,000 spyware signatures (3,000 to 4,000 variants belonging to 600 families).Twice daily, on average
EnterpriSecure with TruPrevent Technology78%Vendor says, “We've been developing signatures against this type of threat for years, so it is comprehensive.”At least daily
FortiClient 2.078%More than 3,200Whenever vendor creates new signatures
McAfee Anti-Spyware Enterprise 8.0i76%More than 4,580 spyware instancesDaily
Spyware Defense V1.372%1,114Once a week

* Some anti-spyware vendors count every variation of a spyware instance, while other vendors simply count a spyware instance and variations of that same instance as a single entity. The anti-spyware industry needs to develop and promote some standards for what constitutes a spyware entity.

** All the products allow administrators to manually request spyware definition file updates at any time.

Nance runs Network Testing Labs and is the author of Introduction to Networking, 4th Edition and Client/Server LAN Programming. He can be reached at barryn@erols.com.

NW Lab Alliance

Nance is also a member of the Network World Lab Alliance, a cooperative of the premier reviewers in the network industry, each bringing to bear years of practical experience on every review. For more Lab Alliance information, including what it takes to become a member, go to www.networkworld.com/alliance.

Join the discussion
Be the first to comment on this article. Our Commenting Policies