McAfee, Omniquad top anti-spyware test

To find which anti-spyware product is best for your corporate network, we tested 18 products from 16 vendors, and we also looked at the beta version of Microsoft's Windows AntiSpyware tool.

Spyware can kill your business quicker than spam or viruses . Spam eats bandwidth and productivity (as you spend time deleting in-basket items). Viruses delete files, throw egotistical messages on your screen and use your address book as a springboard for perpetuating themselves across the network.

How we did it

NetResults: Anti-spyware software

NetResults: Anti-spyware gateways

Archive of Network World tests

Subscribe to the Network Product Test Results newsletter

But spyware insidiously logs your keystrokes, rifles through your files for password and credit card data, peppers your screen with ads and slows your PCs to a crawl.

To find which anti-spyware product is best for your corporate network, we invited about 30 vendors to submit products to our lab for testing. We received 18 products from 16 vendors (see box), and we also looked at the beta version of Microsoft's Windows AntiSpyware tool.

Identifying and removing spyware (either at the desktop or preventing at the gateway) was our most important criteria. We also looked for useful reports, timely alerts and easy deployment and usability. Protecting our network from users who roam the Internet too freely, or who bring unapproved software into the office, was our main goal.

What we tested

We evaluated Aladdin Knowledge Systems' eSafe Version 5, Blue Coat Systems' Spyware Interceptor, Computer Associates' eTrust PestPatrol Corporate Edition v5, Fortinet's FortiClient Host Security 2.0, FSecure's Anti-Virus Client Security 6.0, Lavasoft AB's Ad-Aware Professional, McAfee's Anti-Spyware Enterprise 8.0i and Secure Content Management Appliance 4.0 (Secure Web Gateway model 3300), Panda Software's EnterpriSecure with TruPrevent Technology, Ashanti PLC LTD's Spyware Defense V1.3, Sunbelt Software's CounterSpy Enterprise Version 1.5, SurfControl's Enterprise Threat Shield, Tangent's Packet Hawk Version 2.0, Omniquad's Omniquad AntiSpy Enterprise Version 3.3, Trend Micro's InterScan Anti-Spyware Suite and OfficeScan Anti-Spyware Suite, Webroot Software's Spy Sweeper Enterprise 2.1 and Websense's WebSense Web Security Suite-Lockdown Edition.

We gave separate awards for the gateway and the client/server approaches. McAfee's Secure Web Gateway wins a Clear Choice award for keeping spyware from entering our network (see Net Results for anti-spyware gateway products). The Secure Web Gateway thwarted 90% of the spyware in our tests, has an intuitive user interface and was child's play to install. On the client or server, Omniquad's Omniquad AntiSpy Enterprise wins Clear Choice award. (see Net Results ) These products had high spyware detection success rates, easy-to-navigate user interfaces and useful reports.

Gateway defenses

Stopping spyware via gateways at each Internet connection point is clearly superior to cleaning it from individual server and desktop computers. A gateway is easier to administer, users can't fool with it and desktop machines and servers don't have to shoulder the extra burden of detecting and removing spyware. As long as a gateway filters every single crumb of spyware and users do not bring freeware or shareware software into the office, the gateway approach is an ideal anti-spyware solution.

Two products we tested, Blue Coat's Spyware Interceptor and McAfee's Secure Web Gateway, are network appliances that filter traffic to and from the Internet. Each installs between an Internet router and its switch or hub, and each filters spyware before it reaches the desktop. Two software products, Aladdin's eSafe and Trend Micro's InterScan Anti-Spyware Suite, turn dual-network interface card (NIC) computers into gateways. One NIC connects to the Internet while the other connects to the local network. The software filters the traffic flowing between the two network adapters.

The McAfee appliance stopped an impressive 90% of the spyware in our tests. The appliance, a hefty 1U rack-mounted Dell PowerEdge 1850 pre-loaded with Windows, anti-spyware filtering software and browser-accessible administration tools, is one of McAfee's Secure Content Management Appliance 4.0 products. Secure Web Gateway gave us URL filtering, Internet Content Adaptation Protocol support and an easy-to-navigate user interface. It also can send SNMP alerts (for example, to HP OpenView or other frameworks). Installation was as simple as connecting the box to a router and switch, powering it up and assigning an IP address.

Blue Coat's Spyware Interceptor thwarted 82% of our incoming spyware. Spyware Interceptor is a 1U rack-mounted device containing on-chip logic for stopping spyware. The vendor targets Interceptor at networks of up to 1,000 users. Spyware Interceptor uses what Blue Coat calls its Spyware Catching Object Protection Engine to intercept, analyze and halt over-the-wire executable malware. This gateway-based engine blocks known spyware site URLs, outbound connections to known spyware sites (such as from a spyware-infected client), "drive-by" (unsolicited) executable file downloads and known spyware files. Remarkably, Spyware Interceptor allowed access to non-executable portions of spyware sites, which meant we saw the spyware site without worrying about infection. It doesn't support SNMP alerts. Blue Coat also sent us a copy of WinProxy Secure Site 6.0, a software-based gateway product that blocks spyware via its anti-virus and URL filtering features. WinProxy is intended for smaller networks.

Aladdin's eSafe turned aside 88% of the spyware in our tests. Using a five-pronged approach to identify spyware, it inspects vendor ActiveX digital signatures, looks for attempts to exploit security holes, matches executable signatures to those of known spyware, notes references to known spyware Web sites (via URL or IP address) and detects attempts by spyware to communicate with spyware sites. ESafe not only prevents the installation of unsolicited software on PCs, it points out to administrators those already-infected PCs that are trying to send data back to spyware vendors. Its comprehensive and detailed log file tells what spyware was blocked, what spyware technique was used and what Web site it came from. ESafe's user interface is thoughtfully designed, and it integrates with a network management system via syslog entries or SNMP alerts.

Trend Micro's OfficeScan Anti-Spyware Suite and InterScan Anti-Spyware Suite are a matched pair. InterScan, acting as the first line of defense against spyware, is gateway software that is installed on a dual-NIC PC sitting at an Internet connection point. In contrast, OfficeScan is a client/server anti-spyware tool that runs on desktop and server PCs and that has a central browser-accessible management console. Together, InterScan and OfficeScan foiled 86% of spyware in our tests. Trend Micro uses a signature file to identify spyware.

How to identify spyware

Anti-spyware products identify spyware by recognizing executable files, by noting that a PC is attempting to access a known spyware Internet site or by detecting that a computer program is making inappropriate changes to the Windows registry. Vendors find themselves "chasing" spyware by reacting to new spyware instances and new spyware behaviors as they emerge. We'd like to see anti-spyware vendors take a pre-emptive approach that allows better than 90% success at catching spyware.

InterScan contains two components: InterScan Web Security Suite and Trend Micro Damage Cleanup Services. Together, these block inbound spyware from known spyware sites, block outbound transmissions by spyware, block the browsing of known spyware sites and even detect spyware-infected servers and clients. Automatically and without installing a permanent agent, InterScan sends Damage Cleanup Services software to the infected machine for quick removal of the miscreant. InterScan can send SNMP alerts for events such as service start-up/shutdown, signature file update and spyware blocked, while OfficeScan can send an SNMP alert each time it thwarts a spyware installation attempt. Both InterScan and OfficeScan integrate with Cisco routers on which Network Admission Control is enabled.

OfficeScan has a Windows-based run-time component that detects and blocks spyware on Windows servers and clients, and Trend Micro includes ServerProtect for Novell NetWare and ServerProtect for Linux to block spyware on non-Windows machines. OfficeScan's Damage Cleanup Services component removes most spyware residue from clients and renders the spyware inactive. The OfficeScan central browser-accessed console is simple and straightforward to use. InterScan and OfficeScan record considerable detail about each spyware instance encountered and can present that data in a variety of helpful reports.

Client/server systems

Stopping spyware at the gateway might not be enough, especially if users bring freeware or shareware into the office. You might need to run an anti-spyware tool directly on client PCs and servers. Also note that using both gateway and client/server products can potentially increase your success rate at avoiding spyware.

WebSense Web Security Suite-Lockdown Edition squashed 88% of our test spyware. It distinguishes spyware by Secure Hash Algorithm-based signatures, computer program name, URL and IP address access. Web Security Suite-Lockdown also detects infected PCs by noting - and blocking - attempts by spyware to send information back to a known spyware URL or IP address. It also can thwart peer-to-peer file sharing, such as is commonly used by music download services. Clients use about 12M bytes of RAM and leave no residue following a spyware removal operation. An administrator can configure Web Security Suite-Lockdown to prevent the installation of any executable files on a PC, thus giving some assurance that the PC will run only approved software. It doesn't yet integrate via SNMP with a network management system.

Using a signature file to spot spyware, Omniquad's Omniquad AntiSpy Enterprise eliminated 86% of our test spyware. Omniquad AntiSpy Enterprise's central console offers both quick scans and complete scans. Quick scans, which look at running processes and other readily accessed system data, take seconds to run. Complete scans, which additionally search for spyware files and inspect the Windows registry, can take a few minutes. Client agents can be left resident in memory, where they catch spyware in real time. Ominquad AntiSpy Enterprise deploys client agents easily and automatically from the central console. The console component stores configuration and policy data in Active Directory, and it can emit SNMP alerts when spyware events occur. Omniquad AntiSpy Enterprise removed all spyware residue, including files and registry entries, in our tests.

Sunbelt Software's CounterSpy Enterprise aced 86% of the spyware we threw at it. It recognizes spyware via its file of MD5 hash signatures as well as what Sunbelt calls Active Protection - the detection of changes to the registry, system files and system start-up list. Each CounterSpy Enterprise agent's memory footprint is about 15M bytes. Because Sunbelt established a business relationship with Giant Company Software, now owned by Microsoft, Sunbelt gets the same spyware definitions that Microsoft uses in its new Windows AntiSpyware tool. With its Crystal Reports run-time module, CounterSpy Enterprise produces detailed, helpful reports organized by client, by spyware instance or by date range. It left no spyware residue in our tests, and its central console has an intuitively easy-to-use interface. CounterSpy Enterprise, however, doesn't do SNMP alerts.

Webroot Software's Spy Sweeper Enterprise cleaned up 85% of our test spyware. It uses a signature file plus the detection of file, memory and registry alterations to recognize spyware. The central console's user interface is especially well designed and easy to navigate. Client agent memory usage is about 12M bytes, and each client logs spyware events on the client in addition to sending event notifications to the server. Spy Sweeper Enterprise left some harmless data file residue in our tests. The Spy Sweeper Enterprise server consists of administrative console, database, spyware definition updater and client agent manager, with each component able to run on separate computers for the sake of scalability. It doesn't yet transmit SNMP alerts.

The Microsoft factor

Microsoft obtained Windows AntiSpyware, which is still in beta test, when it purchased Giant Company Software. Windows AntiSpyware detected 80% of our test spyware. When it finds spyware, Windows AntiSpyware presents the administrator with a list of threats found, details about each threat and recommendations for resolving each threat. At the administrator's behest, Windows AntiSpyware removes every vestige of a spyware instance. Like Omniquad AntiSpy Enterprise, Windows AntiSpyware can do a quick or full scan. Microsoft says the product will have a central console in the future. The Windows AntiSpyware beta test period is to conclude by year-end.

1 2 Page 1
Page 1 of 2