How to filter Port 80 traffic

Because spyware installs and operates over Port 80, it passes onto computers without notice from the current generation of firewalls, says John Pescatore, vice president of security research for Gartner.

Because spyware installs and operates over Port 80, it passes onto computers without notice from the current generation of firewalls, says John Pescatore, vice president of security research for Gartner.

Anti-virus/firewall packages that do sweep http traffic over Port 80 for spyware patterns include Fortinet Fortgate, McAfee Internet Security Suite, Norton Internet Security 2004 and Trend Micro’s InterScan Web Security Suite for Windows.

Neither Trend Micro nor Symantec offer spyware detection on an enterprise level. Norton’s consumer product contains 313 spyware definitions, and Symantec plans to release the same capability in its enterprise software by end of the first quarter.

Intrusion detection isn’t the correct way to scan for spyware because it relies on attack signatures instead of traffic pattern analysis, users and analysts say.

“It’s hard to catch spyware by looking for exploit signatures because it installs on desktops through ActiveX plug-ins and browser helper objects,” says Jeff Horne, researcher for Internet Security Systems, which makes RealSecure intrusion-detection software.

“Spyware changes on a day-to-day basis. You’d need a team of researchers writing signatures every day and still you wouldn’t be able to keep up the signature files,” he says.

Instead, he says, you need pattern recognition to capture new forms of spyware. Take, for example, a spyware program called Trickler.

Trickler downloads tiny bits of spyware over hours or a day and gathers itself into a client. “You see this executable going out and trying to grab another executable and so on. Heuristic [pattern recognition] would recognize and put a stop to that,” he says.

Back to feature: Spyware