I'm responsible for maintaining the reliability and security of a fleet of corporate PCs, and spyware is the new bane of my existence. Of course, spyware is only one of a handful of new threats to my sanity and the systems I support, and the very term spyware encompasses a variety of threats—including adware, snoopware, and malware, as Joseph Kinsella describes in "Put a Stop to Spyware," March 2005, InstantDoc ID 45268. For the sake of simplicity, in this comparative review of enterprise-ready antispyware tools, I'll use the term "spyware" to refer to all non-virus system intrusions that form this class of threats. To participate in this review, products needed to offer antispyware functionality including but not limited to automated client-agent deployment, centralized management and reporting, and automated threat scanning and removal.
In this comparative review, I take a look at five enterprise-ready antispyware tools—Computer Associates' (CA'S) eTrust PestPatrol Anti-Spyware Corporate Edition, FutureSoft's DynaComm i:scan, Omniquad's AntiSpy Enterprise Edition, Sunbelt Software's CounterSpy Enterprise, and Tenebril's SpyCatcher Enterprise. I was eager for the opportunity to review these products, which have been—in many cases—a long time coming. Administrators and users everywhere will likely welcome them with open arms. If you're wondering whether the antivirus heavyweights are joining the anti-spyware fight, the answer is yes, but at press time neither Symantec nor McAfee could participate in the review. See the sidebar "Not Ready for Prime Time" for a discussion of the enterprise antispyware offerings that we were unable to include in this review. And for information about Microsoft's recent foray into the antispyware space, see the sidebar "Microsoft's GIANT Acquisition."
How I Tested
To test these enterprise antispyware products, I created a group of four client systems and one server to act as the console and centralized management point for each product. The clients all ran Windows XP Service Pack 1 (SP1), with the exception of one system that had SP2 installed. The console system ran Windows Server 2003. Before testing any products, I installed and tracked varying collections of spyware on the client systems. After polluting the clients, I took a disk image of each system, which I used to restore the clients to their fully infected state for each product test.
See associated table
eTrust PestPatrol AntiSpyware Corporate Edition
CA acquired PestPatrol in late 2004 and has added the product to its eTrust line of solutions. The components of PestPatrol are the Management Console, the Workstation Agent, the command-line scanner, and the Active Protection module. You can install the Management Console on any Pentium-based system running Windows 2003, Windows XP Professional, or Windows 2000.
I installed the console and the included PDF-format Network Administrator's Guide on the management server in less than 1 minute, then launched the software from the Start menu. Upon launch, the software notified me that new updates were available and gave me the option of downloading them immediately. After the update, the console screen opened, as Figure 1 shows. I did a quick scan of the test clients with the Log only option selected, and PestPatrol displayed all detected pests. Next, I selected the Quarantine option for detected pests and rescanned. I switched to the View logs/Clean pests tab to delete the quarantined items. While viewing either logs or quarantined items, I could double-click an entry to view more threat-specific information, contained in the product's online Pest Encyclopedia.
The software couldn't quarantine some of the detected pests, and the log told me to scan with the Delete option selected to remove those items. When I scanned once more with the Delete option selected, the software removed the remaining pests. The log files for both Quarantine and Delete operations recommended a reboot of the client workstation to finish the removal process.
I also tested PestPatrol's scheduling, exclusion, notification, and update features. I configured the client systems to run a full scan of memory, cookies, registry, and disk drives once a week and scheduled a less intensive scan to run every day. The process of scheduling client scans is straightforward, and the scans proceeded without problems on my test systems. Because the software might unintentionally identify some legitimate software as a threat, PestPatrol lets you create a list of items you want to exclude from a scan to avoid unintentional software quarantine or removal. I added Virtual Network Computing (VNC) to the list of exclusions in my test environment, and PestPatrol no longer identified it as a pest. Email alerting worked as I expected, although I would have appreciated more configurable message options. The PestPatrol console checks for updates each time you open it, and you can also manually check for updates from within the console. When the software downloads updates to the console, you must push them out to the clients. The option of scheduling both central-console and client updates would provide for better protection and less administrative interaction.
PestPatrol is an easy-to-use product that does a good job of detecting and removing spyware. CA could improve the console interface by adding simple selection and sorting enhancements. A console-managed command-line version of PestPatrol supports down-level clients such as Windows 98, but I didn't test this functionality.
DynaComm i:scan
FutureSoft was in the midst of a DynaComm i:scan product revision at the time of my testing. The enterprise product I tested addressed the criteria I specified, but it didn't incorporate registry-based and memory-based threat scanning. The personal version of DynaComm i:scan, however, contained these features. Assured by FutureSoft that registry-scanning and memory-scanning features would soon be part of the enterprise product, I agreed to a hybrid test, using the personal client to evaluate the spyware detection and removal capabilities.
When I installed the enterprise version of DynaComm i:scan, the software prompted me to specify the users who would have permission to use the product. You can populate the list of users from the domain or an individual system. The software then prompted me for an account under which the DynaComm i:scan service would run. After providing an account for the DynaComm i:scan service, the installation finished and I rebooted the server.
DynaComm i:scan's antispyware features are a subset of its overall content-security focus. The product is designed to scan storage throughout your enterprise, categorize the files it finds and—optionally—take action when it finds certain types of files. Actions range from logging to moving or deleting a file. File signatures identify problem files. The product includes a database of file signatures for spyware, as well as a collection of predefined scans (which Figure 2 shows) that look for files matching one or more file signatures. DynaComm i:scan gives you a great deal of control over file signatures, letting you create your own list of spyware or other types of offending files.
The first time I ran the Find Malware scan from the console, the product installed client service software on the targeted clients. The client service software, which runs on Windows NT and later, performs scanning locally on the client and provides configurable real-time monitoring and protection. (You can use the product to scan Win9x systems, but on Win9x systems, the console performs the scan over the network, consuming both network and console-server bandwidth.) The scan results showed numerous files that fit DynaComm i:scan's predefined malware signatures. I opened the file-scan log viewer, and by right-clicking identified files in the list I could choose to open, copy, move, or delete the items.
Although the enterprise version of DynaComm i:scan detected a number of disk-based spyware infections, I had to run the personal edition to gauge how DynaComm i:scan stacked up against the competition in terms of disk, memory, and registry threat detection and removal. DynaComm i:scan wields a lot of power, but along with the functionality comes a bit more complexity than you probably want to deal with if you're after a dedicated antispyware solution. In the end, DynaComm fared the worst in handling disk-based threats and second worst in handling registry threats, but I'm deriving these figures from the standalone tool.
Previous
Register
