McAfee, Omniquad top anti-spyware test

Spyware can kill your business quicker than spam or viruses . Spam eats bandwidth and productivity (as you spend time deleting in-basket items). Viruses delete files, throw egotistical messages on your screen and use your address book as a springboard for perpetuating themselves across the network.

But spyware insidiously logs your keystrokes, rifles through your files for password and credit card data, peppers your screen with ads and slows your PCs to a crawl.

To find which anti-spyware product is best for your corporate network, we invited about 30 vendors to submit products to our lab for testing. We received 18 products from 16 vendors (see box), and we also looked at the beta version of Microsoft's Windows AntiSpyware tool.

Identifying and removing spyware (either at the desktop or preventing at the gateway) was our most important criteria. We also looked for useful reports, timely alerts and easy deployment and usability. Protecting our network from users who roam the Internet too freely, or who bring unapproved software into the office, was our main goal.

Gateway defenses

Stopping spyware via gateways at each Internet connection point is clearly superior to cleaning it from individual server and desktop computers. A gateway is easier to administer, users can't fool with it and desktop machines and servers don't have to shoulder the extra burden of detecting and removing spyware. As long as a gateway filters every single crumb of spyware and users do not bring freeware or shareware software into the office, the gateway approach is an ideal anti-spyware solution.

Two products we tested, Blue Coat's Spyware Interceptor and McAfee's Secure Web Gateway, are network appliances that filter traffic to and from the Internet. Each installs between an Internet router and its switch or hub, and each filters spyware before it reaches the desktop. Two software products, Aladdin's eSafe and Trend Micro's InterScan Anti-Spyware Suite, turn dual-network interface card (NIC) computers into gateways. One NIC connects to the Internet while the other connects to the local network. The software filters the traffic flowing between the two network adapters.

The McAfee appliance stopped an impressive 90% of the spyware in our tests. The appliance, a hefty 1U rack-mounted Dell PowerEdge 1850 pre-loaded with Windows, anti-spyware filtering software and browser-accessible administration tools, is one of McAfee's Secure Content Management Appliance 4.0 products. Secure Web Gateway gave us URL filtering, Internet Content Adaptation Protocol support and an easy-to-navigate user interface. It also can send SNMP alerts (for example, to HP OpenView or other frameworks). Installation was as simple as connecting the box to a router and switch, powering it up and assigning an IP address.

Blue Coat's Spyware Interceptor thwarted 82% of our incoming spyware. Spyware Interceptor is a 1U rack-mounted device containing on-chip logic for stopping spyware. The vendor targets Interceptor at networks of up to 1,000 users. Spyware Interceptor uses what Blue Coat calls its Spyware Catching Object Protection Engine to intercept, analyze and halt over-the-wire executable malware. This gateway-based engine blocks known spyware site URLs, outbound connections to known spyware sites (such as from a spyware-infected client), "drive-by" (unsolicited) executable file downloads and known spyware files. Remarkably, Spyware Interceptor allowed access to non-executable portions of spyware sites, which meant we saw the spyware site without worrying about infection. It doesn't support SNMP alerts. Blue Coat also sent us a copy of WinProxy Secure Site 6.0, a software-based gateway product that blocks spyware via its anti-virus and URL filtering features. WinProxy is intended for smaller networks.

Aladdin's eSafe turned aside 88% of the spyware in our tests. Using a five-pronged approach to identify spyware, it inspects vendor ActiveX digital signatures, looks for attempts to exploit security holes, matches executable signatures to those of known spyware, notes references to known spyware Web sites (via URL or IP address) and detects attempts by spyware to communicate with spyware sites. ESafe not only prevents the installation of unsolicited software on PCs, it points out to administrators those already-infected PCs that are trying to send data back to spyware vendors. Its comprehensive and detailed log file tells what spyware was blocked, what spyware technique was used and what Web site it came from. ESafe's user interface is thoughtfully designed, and it integrates with a network management system via syslog entries or SNMP alerts.

Trend Micro's OfficeScan Anti-Spyware Suite and InterScan Anti-Spyware Suite are a matched pair. InterScan, acting as the first line of defense against spyware, is gateway software that is installed on a dual-NIC PC sitting at an Internet connection point. In contrast, OfficeScan is a client/server anti-spyware tool that runs on desktop and server PCs and that has a central browser-accessible management console. Together, InterScan and OfficeScan foiled 86% of spyware in our tests. Trend Micro uses a signature file to identify spyware.

OfficeScan has a Windows-based run-time component that detects and blocks spyware on Windows servers and clients, and Trend Micro includes ServerProtect for Novell NetWare and ServerProtect for Linux to block spyware on non-Windows machines. OfficeScan's Damage Cleanup Services component removes most spyware residue from clients and renders the spyware inactive. The OfficeScan central browser-accessed console is simple and straightforward to use. InterScan and OfficeScan record considerable detail about each spyware instance encountered and can present that data in a variety of helpful reports.