Focusing on gateway products, we primarily looked for the ability to identify and block malware (such as keystroke loggers, browser hijackers, adware, rootkits, dialers, data miners and Trojans). We wanted a product to prevent malware from sending data from our network (i.e., “phoning home”), identify already-infected clients, handle Skype- and IM-borne malware as well as HTTP-borne malware, scan traffic quickly, receive frequent spyware definition updates, integrate with a network-management system (such as OpenView) and produce helpful reports on infection attempts and traffic statistics.

We collected a suite of 70 malware samples, and vendors gave us some additional samples to test with. We moved the collected material to an isolated, quarantined network. The quarantined network consisted of three subnets. Subnet 1 had 10 client machines with a variety of operating systems, including Windows NT, 98, 2000, ME, XP, Red Hat Linux and Macintosh OS X. Subnet 2 contained three Web servers (Microsoft IIS, Netscape Enterprise Server and Apache), three e-mail servers (Exchange, Notes and Sendmail), two file servers (Windows 2003 Advanced Server and Netware) and two database servers (Oracle 8i and Microsoft SQL Server).

Subnet 3, simulating the "Internet," had Web, IM and Skype servers and clients containing the malware instances and sporting “bad guy” IP addresses and URLs. Systems on the first two subnets accessed the third subnet as if it were the real Internet.