We tested each product's ability to correctly identify and effectively remove spyware. We evaluated each vendor's approach to updating its product to recognize new spyware, and looked at the ease with which a network administrator can deploy the product. We also gauged how easily we could administer the deployed product from a central console. Finally, we tested any reports the product produces.

Using Internet-connected computers, we collected 20 instances of both spyware and Web page source code of the sites that distributed the spyware. For testing, we moved the collected spyware material to an isolated, quarantined network not connected to the Internet.

The quarantined test network consisted of 10 clients, running Windows NT/98/2000/ME/XP, Red Hat Linux and Macintosh System 8. The network also contained three Web servers (Microsoft Internet Information Server, Netscape Enterprise Server and Apache), two e-mail servers (Microsoft Exchange and Sendmail), two file servers (Microsoft Windows 2000 Advanced Server and NetWare) and three database servers (Oracle 8i, Sybase Adaptive Server and Microsoft SQL Server). An Agilent Advisor protocol analyzer eavesdropped on the network traffic to show overall utilization and the detailed content of messages.