A Black or White

By Andrew Garcia  |  Posted 2006-03-06 Print this article Print

Anti-spyware Experience"> Because the eTrust ITM r8 client includes both anti-virus and anti-spyware engines, plus the overall agent structure itself, we had to create and apply several policies to gain full protection. Active protection and scheduled scans are configured separately within the anti-virus and anti-spyware components, yet another policy is required to control agent communication, reporting and updating.

To schedule periodic anti-spyware scans, we created a policy dictating which types of scans to perform (memory, cookies, registry or common disk locations) and defined the action to take when a threat is found (report or quarantine). We could then schedule each scan to run one time or at a given frequency, as well as dictate the level of CPU usage for the scan.

Fighting spyware is a never-ending battle. Products and enterprises must evolve to meet new security challenges. Read more here.
To exclude specific malware strains or a family of detection types, we had to create and apply exclusion policies. We liked the flexibility that comes when exclusions are broken out from the scan policy, as we could easily configure and apply exceptions across multiple scan policies. For the exclusion policy, we could search for individual strains in the eTrust ITM r8 database or select from among 69 known threat categories as defined by CA, and we could apply them to many scan policies without needing to edit each one.

Maintaining separate policies for virus and spyware scans is unusual for integrated products; competing products rely on a single engine to perform both types of detection. We appreciated that we could easily set up different schedules for both types of scans—something that, while possible with competing products, is not as straightforward as it is with eTrust ITM r8.

In spyware detection tests, we found eTrust ITM r8s detection capabilities far from perfect but better than most competing solutions weve seen to date.

In general, spyware defense was a black-and-white experience with eTrust ITM r8—we found detected threats cleaned to our satisfaction, while other threats were missed completely. eTrust ITM r8 successfully detected and removed threats from Claria, 180solutions and WhenU, as well as WideStep Security Softwares Elite Keylogger, among others. Like every other anti-spyware solution weve tested, however, eTrust ITM r8 wasnt perfect by any means. It missed some troublesome threats to data security such as WareSight Keyloggers 007 Keylogger Spy.

180solutions, criticized in the past for "illegal and deceptive" practices, is again accused of allowing unauthorized installations. Click here to read more. For spyware blocking capabilities, eTrust ITM r8 relies on its robust signature detection library to keep malware from gaining a foothold. CA representatives argue that signature detection remains the most effective deterrent, as many spyware strains use a variety of mechanisms designed to evade heuristic blocking techniques.

While we agree that signature-based detection is the most accurate detection method and also causes the least amount of false positives, signature-based solutions are reactive and unable to cope effectively with new or unknown threats. And weve seen some vendors, such as Panda Software with its TruPrevent technology, deliver promising results with behavioral detection capabilities.

eTrust ITM r8s active protection does monitor threats in memory, and in tests we found the product able to successfully deny many malware installations before they took hold. While we were able to install some threats, those detected were not able to install at all.

Next Page: Evaluation shortlist.

Andrew cut his teeth as a systems administrator at the University of California, learning the ins and outs of server migration, Windows desktop management, Unix and Novell administration. After a tour of duty as a team leader for PC Magazine's Labs, Andrew turned to system integration - providing network, server, and desktop consulting services for small businesses throughout the Bay Area. With eWEEK Labs since 2003, Andrew concentrates on wireless networking technologies while moonlighting with Microsoft Windows, mobile devices and management, and unified communications. He produces product reviews, technology analysis and opinion pieces for eWEEK.com, eWEEK magazine, and the Labs' Release Notes blog. Follow Andrew on Twitter at andrewrgarcia, or reach him by email at agarcia@eweek.com.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel