Each vendor we worked with refers to spyware differently: McAfee uses the term Potentially Unwanted Programs, or PUPs; Symantec refers to security risks; Trend Micro uses the classification of spyware/grayware. No matter what the nomenclature, each product integrates spyware detection and cleaning directly into its respective anti-virus engine. Therefore, administrators dont need to deploy multiple management systems or client agents, nor will they need to define separate scanning policies. Spyware signature updates are delivered integratedor at least simultaneouslywith anti-virus updates. Because spyware detection necessitates a large spike in the number of signatures scanned, we worried that scan times or usage of system resources would spike dramatically. In tests, however, these fears were not borne out. OfficeScan 7.0s and VirusScan Enterprise 8.0is full virus and spyware sweeps were generally completed within 10 to 15 minutes on all our test machines, while the Symantec Client Security 3.0 scans generally took about 20 minutes.Overall, we found that VirusScan Enterprise 8.0i generally provided the most complete spyware identification and cleaning capabilities. We could decide which types of malwareor any potentially malicious applicationwe wished to scan for, including spyware, adware, remote admin tools, dialers and password crackers. From the client, we could also initiate in-depth scans of the Registry or scans to look for tracking cookies. As with the keystroke loggers, VirusScan Enterprise 8.0i removed most threats in our testbed on the second scanafter a first scan and reboot ensured the malicious code was not active at clean time. VirusScan Enterprise 8.0i also provided the most complete spyware-blocking capabilities of all the products we tested, denying our attempts to install Claria, PurityScan and one form of CoolWebSearch before they gained any traction on our test system. Symantec Client Security 3.0 and OfficeScan 7.0, on the other hand, allowed us to install these applications and then caught the offending components of these programs via continuously running active scans. What OfficeScan 7.0 claims to clean is a bit of a mystery. Unlike with the other products, administrators can use OfficeScan 7.0 only to enable or disable spyware/grayware detection by the integrated Damage Cleanup Servicesbut theres simply no way to target scans for particular classes of threats. OfficeScan 7.0 will identify tracking cookies, though, which can severely ratchet up the number of threats found. However, because OfficeScan 7.0 does not allow administrators to target scans for specific threats, we could not disable cookie detection while continuing to scan for other spyware. Trend Micro representatives provided a patch that allows the log to ignore cookie findings. We found Symantecs spyware-cleaning capabilities, built into the AntiVirus Corporate Edition client component of Symantec Client Security, to be the weakest reviewed here. Symantec Client Security 3.0 provides the flexibility to allow administrators to set different actions according to the threat found (such as adware, dialers, spyware and trackware), but the product will not scan for tracking cookies. The softwares ability to scan and clean the Registry pales in comparison with the other products as well, leaving many obvious threats in obvious places, such as the HKLM Run key. To top it off, we found several of our test clients could not complete a full scan of the infected host without the scanning engine crashing. Indeed, Client Security 3.0 essentially necessitated running scans of heavily infected systems in Windows Safe Modewhich greatly amplified our administrative burden and still did not adequately disable many traces. With each product we tested, we noticed some of our clients kept alerting for threats that we verified had been deleted during earlier cleaning attempts. This indicated that unknown components remaining on the infected system were attempting to rebuild a known threat. While disabling and removing malicious code and active processes are important, each product tested could stand to improve cleaning signatures to remove the components that allow threats to regenerate. For instance, OfficeScan 7.0 was the only product to effectively stifle a nasty bit of malware that hijacked one systems desktop, turning it into an Active Desktop Web search engine and blocking us from accessing desktop management tabs. While Symantec Client Security 3.0 and VirusScan Enterprise 8.0i were unable to deal with this problem at all, OfficeScan 7.0 restored the desktop and our configuration controlsuntil the next reboot, when the problems reappeared. Next page: Enterprise management platforms.
To their credit, all the products effectively identified and disabled what we considered the most serious security threats in our testbed, a series of keystroke loggers. Symantec Client Security 3.0 and OfficeScan 7.0 disabled and removed each logger when first scanned, while VirusScan Enterprise 8.0i identified each instance on first scan and then removed those instances after we rebooted each affected client and performed a second scan.