Page Two

By Andrew Garcia  |  Posted 2005-07-21 Print this article Print

Each vendor we worked with refers to spyware differently: McAfee uses the term Potentially Unwanted Programs, or PUPs; Symantec refers to security risks; Trend Micro uses the classification of spyware/grayware. No matter what the nomenclature, each product integrates spyware detection and cleaning directly into its respective anti-virus engine. Therefore, administrators dont need to deploy multiple management systems or client agents, nor will they need to define separate scanning policies. Spyware signature updates are delivered integrated—or at least simultaneously—with anti-virus updates.

Because spyware detection necessitates a large spike in the number of signatures scanned, we worried that scan times or usage of system resources would spike dramatically. In tests, however, these fears were not borne out. OfficeScan 7.0s and VirusScan Enterprise 8.0is full virus and spyware sweeps were generally completed within 10 to 15 minutes on all our test machines, while the Symantec Client Security 3.0 scans generally took about 20 minutes.

To their credit, all the products effectively identified and disabled what we considered the most serious security threats in our testbed, a series of keystroke loggers. Symantec Client Security 3.0 and OfficeScan 7.0 disabled and removed each logger when first scanned, while VirusScan Enterprise 8.0i identified each instance on first scan and then removed those instances after we rebooted each affected client and performed a second scan.

Overall, we found that VirusScan Enterprise 8.0i generally provided the most complete spyware identification and cleaning capabilities. We could decide which types of malware—or any potentially malicious application—we wished to scan for, including spyware, adware, remote admin tools, dialers and password crackers. From the client, we could also initiate in-depth scans of the Registry or scans to look for tracking cookies. As with the keystroke loggers, VirusScan Enterprise 8.0i removed most threats in our testbed on the second scan—after a first scan and reboot ensured the malicious code was not active at clean time.

VirusScan Enterprise 8.0i also provided the most complete spyware-blocking capabilities of all the products we tested, denying our attempts to install Claria, PurityScan and one form of CoolWebSearch before they gained any traction on our test system. Symantec Client Security 3.0 and OfficeScan 7.0, on the other hand, allowed us to install these applications and then caught the offending components of these programs via continuously running active scans.

What OfficeScan 7.0 claims to clean is a bit of a mystery. Unlike with the other products, administrators can use OfficeScan 7.0 only to enable or disable spyware/grayware detection by the integrated Damage Cleanup Services—but theres simply no way to target scans for particular classes of threats.

OfficeScan 7.0 will identify tracking cookies, though, which can severely ratchet up the number of threats found. However, because OfficeScan 7.0 does not allow administrators to target scans for specific threats, we could not disable cookie detection while continuing to scan for other spyware. Trend Micro representatives provided a patch that allows the log to ignore cookie findings.

We found Symantecs spyware-cleaning capabilities, built into the AntiVirus Corporate Edition client component of Symantec Client Security, to be the weakest reviewed here. Symantec Client Security 3.0 provides the flexibility to allow administrators to set different actions according to the threat found (such as adware, dialers, spyware and trackware), but the product will not scan for tracking cookies. The softwares ability to scan and clean the Registry pales in comparison with the other products as well, leaving many obvious threats in obvious places, such as the HKLM Run key.

To top it off, we found several of our test clients could not complete a full scan of the infected host without the scanning engine crashing. Indeed, Client Security 3.0 essentially necessitated running scans of heavily infected systems in Windows Safe Mode—which greatly amplified our administrative burden and still did not adequately disable many traces.

With each product we tested, we noticed some of our clients kept alerting for threats that we verified had been deleted during earlier cleaning attempts. This indicated that unknown components remaining on the infected system were attempting to rebuild a known threat. While disabling and removing malicious code and active processes are important, each product tested could stand to improve cleaning signatures to remove the components that allow threats to regenerate.

For instance, OfficeScan 7.0 was the only product to effectively stifle a nasty bit of malware that hijacked one systems desktop, turning it into an Active Desktop Web search engine and blocking us from accessing desktop management tabs. While Symantec Client Security 3.0 and VirusScan Enterprise 8.0i were unable to deal with this problem at all, OfficeScan 7.0 restored the desktop and our configuration controls—until the next reboot, when the problems reappeared.

Next page: Enterprise management platforms.

Andrew cut his teeth as a systems administrator at the University of California, learning the ins and outs of server migration, Windows desktop management, Unix and Novell administration. After a tour of duty as a team leader for PC Magazine's Labs, Andrew turned to system integration - providing network, server, and desktop consulting services for small businesses throughout the Bay Area. With eWEEK Labs since 2003, Andrew concentrates on wireless networking technologies while moonlighting with Microsoft Windows, mobile devices and management, and unified communications. He produces product reviews, technology analysis and opinion pieces for, eWEEK magazine, and the Labs' Release Notes blog. Follow Andrew on Twitter at andrewrgarcia, or reach him by email at

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel