Test: Enterprise-level anti-spyware software

Webroot shines in sweeping up the spyware.

Like viruses and other harmful programs, spyware is a huge security problem. Worse than a typical virus, a spyware program can send corporate data directly from your company's client computers to an Internet-based data collection facility, such as a shady adware site or other group of bad guys.

The perfect anti-spyware tool detects all spyware, identifies all the files and registry entries associated with the spyware, and safely removes all its traces, remnants and residue. In a corporation, the ideal tool also offers a central console through which network administrators easily can disinfect client computers. The ideal tool is simple to install and deploy, and conveniently updates its own spyware signature list. Status displays and reports give you a quick and accurate picture of how badly spyware is harming your company. A good tool also will be able to detect and remove Trojans, dialers, malware and browser hijackers (see graphic, below).


Buyer's Guide: Anti-Spyware software

Detailed vendor specs.

Detecting BHOs

How we did it

Archive of Network World reviews

Subscribe to the Product Review newsletter


We recently invited several anti-spyware vendors to submit products to our Alabama lab. We tested Webroot Software's Spy Sweeper Enterprise Version 1.5, InterMute's SpySubtract Pro Version 2.5, Tech Assist's Omniquad AntiSpy Enterprise Edition Version 4.0 and PepiMK Software's SpyBot - Search & Destroy Version 1.3.

Webroot's Spy Sweeper Enterprise proved itself the best anti-spyware tool in our tests, winning a Clear Choice Award. It contained the most spyware definitions, gave us excellent control over its client agents from a central console, ran quickly and unobtrusively, had an intuitive user interface, and displayed useful reports of its activity.

Find and remove

Spy Sweeper Enterprise is said to thwart about 35,575 spyware programs; Omniquad AntiSpy Enterprise contains about 10,000 spyware definitions; and SpySubtract Pro has about 31,124. The freeware SpyBot Search & Destroy contained more than 10,000. Auditing each vendor's list with a sampling technique verified the authenticity and validity of each vendor's spyware definitions.

All four products automatically update their definitions by accessing vendor master lists via the Internet. Spy Sweeper Enterprise updates generally occur weekly, Omniquad AntiSpy Enterprise updates occur every three days (sometimes more frequently) and SpySubtract Pro updates occur every one to two weeks. All four accurately detected and disposed of the 20 examples of miscreant spyware we introduced into our test network (see "How we did it").

Spy Sweeper Enterprise includes four server components - an administration console, enterprise database, update server and client server.

The administration console is the user interface for configuring clients, managing spyware definition updates, establishing alerts and notifications, viewing reports and remotely directing client spyware scans, including running an immediate spyware scan on a specific remote client or group of clients.

The enterprise database component stores configuration settings and scan results. The update server automatically obtains the latest spyware definitions from the vendor on the scheduled weekly basis, or an administrator can tell Spy Sweeper Enterprise to retrieve definitions on demand.

The client server module sends configuration settings and definition updates to the clients, and receives the scan results from those clients. On each client, Spy Sweeper Enterprise's client agent scans for spyware - periodically or on demand.

When spyware is detected (either incoming or pre-existing), the client disables and quarantines the spyware. It then sends an alert to the client server, which records the event in the database and tells the administration console to notify a network administrator. Because Spy Sweeper Enterprise consumes little bandwidth and because you can spread its workload across multiple servers, we found it scales extremely well. Each scan took only about 4 minutes and consumed few resources as it ran unobtrusively in the background on each client.

FreezeX ices executables

If your company prohibits the installation of any software on a client once that client has been configured, Faronics’ FreezeX ($25 plus $45.60 for each client) might be of interest to you. At installation, FreezeX notes which computer programs are already on a computer and deems them “authorized.” Thereafter, FreezeX denies any attempt to install or run unauthorized computer programs, whether via removable media or the network. Faronics says FreezeX intercepts more than 80 types of executables, including .scr, .sys and .dll files. We found FreezeX to be a reliable, no-nonsense watchguard against BHOs and every other type of executable we tried to install. You can even use it as a de facto license manager. Its Silent Install option for quickly and painlessly deploying FreezeX remotely across a network works well.
Five common types of spyware
Category Typical action
Keyboard logger: (aka trackware) Captures keystrokes (including personal information and passwords) or tracks Web sites you visit.
Trojan: Enables remote control of your computer by a hacker, often for distributed DoS attacks.
Droneware: Sends spam or hosts offensive Web images.
Dialer: Auto-dials area code 900 or expensive long-distance calls via your modem.
Adware: Pops up advertisement-laden browser windows.
N North Korea Not-so-fun spyware facts:

• Some spyware sends captured data to North Korean intelligence agency servers. The North Korean government analyzes what it captures, sells the data to criminals and organizes international distributed DoS attacks. South Korea’s defense ministry recently said that North Korea has trained more than 500 computer hackers to wage cyber- warfare against the U.S. (www. nwfusion.com, DocFinder: 5030). The ministry reported that North Korean militant hackers, who have undergone a five-year university course geared toward penetrating the computer systems of the U.S., South Korea and Japan, are among the best in the world.

• Want to see Web sites that promote the use of spyware for advertising? Head to www.stop-popup-ads-now.com or www.abetterinternet.com. If you visit these sites, please first maximize your browser security level, do not click on any of the links you see and examine your system afterward for possible spyware infection.

Omniquad's AntiSpy Enterprise includes an enterprise manager and a component for each client. Any scan it performs can be a quick scan or a complete scan. A complete scan took just over 4 minutes to run, while a quick scan took just over 1 minute. The quick scan appeared to just examine in-memory programs and asked Windows to reveal registered browser helper objects (see "Detecting BHOs"), while the complete scan also searched client hard drives and examined the entire Windows registry file. Besides finding and rooting out pre-existing spyware, the client component catches incoming spyware in real time. With the Enterprise Manager, we could schedule scans to occur daily at a specific time, and we could initiate on-demand scans. Tech Assist says a future version will integrate with Active Directory to store configuration and policy data in the directory rather than separately inside Enterprise Manager.

InterMute's SpySubtract Pro detects spyware by filename and file contents (through its Message-Digest algorithm 5 matching technology). MD5 is a widely used cryptographic hash function with a 128-bit hash value. The program computes an MD5 hash for each suspect spyware file and compares the result with its internal list of MD5 hash values for known spyware. This approach lets SpySubtract Pro identify even spyware operating under an alias. SpySubtract Pro scanned for spyware faster than Spy Sweeper Enterprise, but unfortunately lacked a central console component through which a network administrator could manage spyware scans on multiple clients. InterMute says a central console feature should be available by year-end.

SpyBot Search & Destroy was the fastest scanner we tested. It leverages the knowledge that spyware must anchor itself at a few specific locations within Windows, and the tool always begins its searches in those locations. Based on what it finds, the program then uses its spyware definitions to determine where to look to delete all the files and references associated with a particular spyware instance. The central console component, which supplies client agents with centralized spyware definition updates and configuration data, is called Intranet Update Server. This component contains its own Web server (or uses an existing Web server) that distributes spyware definition updates to clients across a network. The Intranet Update Server itself obtains its definitions from the vendor via the Internet. A network administrator configures the Intranet Update Server to access vendor spyware definition updates on a fixed schedule or on demand. The client component is freeware, but licensing Intranet Update Server requires a donation to the product's author.

In addition to finding spyware, Spy Sweeper Enterprise, Omniquad AntiSpy Enterprise and SpySubtract Pro can delete browser cache data, browser history, cookies and chat history. Interestingly, SpySubtract Pro's SpySleuth module reveals exactly how and when a particular spyware program infected a given computer. All four products did an excellent job of describing and explaining the effect and significance of the different instances of spyware they found.

Spyware management

Spy Sweeper Enterprise had the most intuitive, easiest-to-navigate user interface. Setting spyware scan policies for groups of clients, scheduling scans and viewing reports was all a breeze. AntiSpy Enterprise's user interface wasn't quite as intuitive as Spy Sweeper Enterprise's, but AntiSpy Enterprise additionally lets network administrators establish a whitelist of Browser Helper Objects (BHO) to exclude in its scans. This feature is handy for companies that have programmers who have written in-house, custom BHOs and don't want those BHOs to show up on the list of potential spyware. Spy Sweeper Enterprise has a similar feature, which it calls a keep list.

Spy Sweeper Enterprise and Omniquad AntiSpy Enterprise let you deploy client modules from a central console. Network administrators will need to install SpySubtract Pro and SpyBot Search & Destroy client components individually on each client.

We also liked how Spy Sweeper Enterprise's administration console could send us an e-mail alert when it detected a spyware instance. This meant we could log on virtually to any client on the network and see the spyware scan results. Omniquad AntiSpy Enterprise's console-free reporting interface also let us monitor spyware scan activity without having to visit the central console.

The reports from Spy Sweeper Enterprise and Omniquad AntiSpy Enterprise identified the clients with spyware, and the types detected. Both products supplied useful detail about the harmful effects of each spyware instance. While both products let administrators set up different policies for groups of users, we felt Spy Sweeper Enterprise offered more sophisticated control settings for individual clients or specific groups of clients.

Within each client, SpySubtract Pro's simple interface consists primarily of configuration and results windows. The results window shows a list of detected spyware. Clicking on an entry caused SpySubtract Pro to retrieve information about the nature and behavior of that spyware instance from its spyware definitions file and display that information.

SpyBot Search & Destroy's user interface was simple and intuitive. SpyBot Search & Destroy can start in either of two modes - easy or advanced - with easy as the default. In both modes, SpyBot Search & Destroy deflects and removes spyware. Advanced mode lets network administrators schedule scans and fix Windows registry inconsistencies spyware causes.

Spy Sweeper Enterprise comes with a printed Quick Start Guide and a System Administrator guide, augmented by online help files. SpySubtract Pro and Omniquad AntiSpy Enterprise's documentation includes only online help files. SpyBot Search & Destroy offers rather sparse online help.

SpySubtract Pro, Spy Sweeper Enterprise and Omniquad AntiSpy Enterprise all offer telephone and online support features, while SpyBot Search & Destroy technical support is available only through e-mail.

1 2 Page 1
Page 1 of 2
Now read: Getting grounded in IoT