To combat viruses and spyware, Westinghouse Electric has rolled out desktop software that watches for suspicious code activity and blocks it based on behavior.

The software proved effective in stopping the recent Zotob worm in its tracks, in advance of anti-virus vendors identifying the threat and producing signatures to detect it, says Tom Moser, Westinghouse's manager of IT services.

But he points out that while behavior-based security protection does detect threats early, the downside is it can generate a lot of false alerts that distract both end users and help-desk staff.

"It's causing [end users] to make a decision about whether their machine is being attacked," says Moser, whose staff spent the first half of this year deploying Cisco Security Agent (CSA) software for use by almost all its 7,500 employees.

Westinghouse, which began piloting the software last year with a group of 150 users for two months, found CSA was trigger-happy in its alerting when placed in monitoring mode. Other desktop applications that Westinghouse was running, including McAfee anti-virus and programming debugging tools, induced CSA to wrongly tell the user in a screen-display message that the machine faced an unknown security threat.

"One thing we ran into early on was it generated 30,000 alerts per day for McAfee anti-virus," Moser says. With Cisco consultants called in to help, Westinghouse reduced that number to 50.

Helping thousands of employees adapt to the concept of behavior-based software was a challenge, requiring considerable training to help them interact with CSA.

In its alerting, CSA gives the user the chance to override any blocking of a suspected threat. But in training its employees, Westinghouse has encouraged them to always let CSA block the code activity it detects, just to be on the safe side. Users are instructed to check with the help desk if CSA seems to be blocking something legitimate.

Westinghouse isn't abandoning use of anti-virus products, but says its $50,000 behavior-based software project is paying off. When the Zotob worm appeared last month, the number of alerts - which had previously averaged 1,000 per day - jumped to more than 8,000, and Westinghouse was spared damage (CSA includes a central management console that generates alert-tracking reports, among other things).