How to Test Anti-Spyware Systems

By Andrew Garcia  |  Posted 2005-02-14 Print this article Print

In a lab environment, administrators may find it difficult to reproduce the combinations—and depth—of spyware infections that real users may experience.

eWEEK Labs installed each product we tested on a fully patched Windows 2000 server, configured with a 2.4GHz processor and 512MB of RAM. We found that the products varied in the amount of processing power needed for day-to-day operation and reporting, so larger deployments should carefully consider how many clients each server will manage.

Click here to read reviews of Sunbelts CounterSpy Enterprise, Tenebrils SpyCatcher 3.0 Enterprise and Webroots Spy Sweeper Enterprise 2.0.
In a lab environment, administrators may find it difficult to reproduce the combinations—and depth—of spyware infections that real users may experience.

Ideally, administrators should make hard drive images of the systems most heavily inundated with spyware for reproduction in the lab. However, the resulting user downtime and limited hardware availability for testing may make this difficult for many organizations. If thats the case, we recommend leveraging existing Web filtering and monitoring tools at the gateway (or preferably at the desktop, since many computers travel outside the network confines) to gauge usage patterns.

Our testbed consisted of eight clients—a mixture of Windows 2000 Professional and Windows XP Professional workstations—spread across a simulated WAN. We deployed our clients using VMware Inc.s VMware Workstation 4.5 installed on a pair of IBM eServer 325s, each running Windows 2003 Server Enterprise and configured with dual Advanced Micro Devices Inc. Opteron processors and 2GB of RAM.

We find that virtual workstations offer an excellent opportunity to isolate infections in a sandbox. Using the snapshot functionality, it is also quite easy to reset a testbed to reproduce the same environment for each product under test at a moments notice.

For an enterprise-level deployment, administrators should carefully examine each anti-spyware products impact and performance under real-world network conditions.

Click here to read more about fighting spyware in the enterprise. To test the deployment, ongoing management and bandwidth requirements of these products in a multisite scenario, we used Shunra Software Ltd.s Shunra Virtual Network to simulate a WAN environment. With this software, we simulated a T-1 connection (1.544M bps) between our home office and a remote site, replete with variable latency and packet loss.

After completing the scan-and-clean process, we used a common free scan tool, LavaSoft Inc.s Ad-Aware Personal, for a mop-up base-line scan to determine differences in the number of traces left behind by each product under test on a subset of our test clients.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.

Andrew cut his teeth as a systems administrator at the University of California, learning the ins and outs of server migration, Windows desktop management, Unix and Novell administration. After a tour of duty as a team leader for PC Magazine's Labs, Andrew turned to system integration - providing network, server, and desktop consulting services for small businesses throughout the Bay Area. With eWEEK Labs since 2003, Andrew concentrates on wireless networking technologies while moonlighting with Microsoft Windows, mobile devices and management, and unified communications. He produces product reviews, technology analysis and opinion pieces for, eWEEK magazine, and the Labs' Release Notes blog. Follow Andrew on Twitter at andrewrgarcia, or reach him by email at

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel