By Andrew Garcia  |  Posted 2005-10-03 Print this article Print

Shavlik NetChk Spyware, Shavlik Technologies LLCs initial foray into spyware defense, shows great promise with an easy-to-deploy architecture and in-depth manage-ability and control—but eWEEK Labs tests show its immature scanning and detection could stand some improvement.

How well do combined antispyware/antivirus programs work? Click here to read more.
Shavlik NetChk Spyware, released in August, is a part of Shavliks new NetChk Protect 5.5 line, which marries Shavliks powerful, familiar HFNetChkPro patch management solution with new anti-spyware capabilities. All patch management and anti-spyware detection and cleaning can be controlled from a single management interface—an attractive option for companies leery of saddling their IT staff with additional management routines.

NetChk Spyware can be licensed separately—1,000 managed desktops cost an affordable $12.45 per workstation per year—or can be licensed with patch management services. NetChk Protect 5.5 with NetChk Spyware and patching costs $23.75 per workstation per year (for 1,000 clients). Current patching customers can add anti-spyware capabilities for $8.75 per workstation (again, for 1,000 clients).

Management is performed via a GUI that will be familiar to any user of Shavliks patching products. The GUI is comprehensive and intuitive , but a little overcrowded on the screen for our tastes. A pair of new options, the Spyware Scanning and Signature Families spyware management components, reside in the leftmost navigation box.

NetChk Spyware comes preconfigured with a scan that performs checks for threats that Shavlik has classified as spyware, malware or adware. We could also configure scans to check for NonBizWare applications—which, according to the NetChk Spyware Signature Family, includes peer-to-peer and instant messaging applications, as well as various gaming and pornography apps. Because the NonBizWare category includes applications such as Skype Technologies S.A.s Skype and Cerulean Studios Trillian, administrators should take care not to inadvertently disable a critical communication application that users may rely on.

NetChk Spyware offers some of the most robust configurability weve seen from an anti-spyware product, giving administrators granular control to prioritize and categorize threats. Out of the box, Shavlik provides a threat assessment field for each signature in the database, but administrators can take it a step further and tag signatures with their own threat assessment using the Criticality field. In addition, we could create our own signature groups of particular threats—for instance, keystroke loggers—that caused us greatest concern .

Based on these assessments and our categorizations of the most dire threats to the test network, we created customized scans to search for and eliminate our designated worst threats at frequent intervals and left more comprehensive scans of lesser threats to run overnight.

Like Shavliks patching engine, NetChk Spyware did not require us to preinstall agents on client desktops. However, the NetChk server must be able to contact clients via the Microsoft Corp. networking ports (TCP ports 139 and 445) and have the proper credentials to perform such a scan. No other configuration is necessary at the client, which makes it very quick and simple to get up and running.

NetChk Spyware offers two scan modes: network-based and dissolving services. Network-based scans rely on the server to perform the scan, which can lead to longer scan times and greater network utilization but has no lasting footprint on the client. The dissolving services mode, on the other hand, relies on the client processor to perform the scan. This expedites scans and leads to a more thorough cleaning, but it requires the included Shavlik Scheduler service to be installed on the client and the spy detection engine to be copied and run locally. This installation happens automatically as a scan job is pushed to the desktop.

NetChk Spywares scan and remediate functions are configured separately, although we could choose to automatically remediate all found items after a scan was completed. We configured several remediation templates to send the necessary notifications, to vary the amount of CPU used on the client during the job and to offer users varying degrees of control over the reboot timing when the job was finished.

Because NetChk Protect is agentless, we were concerned about its ability to block spyware from infecting a system in the first place. Up-to-date patching is obviously an important part of Shavliks strategy for avoiding spyware, but NetChk Protect offers a few protection items as well. The Protection Signature Family offers a temp-file cleaner, a Web site blacklist and an ActiveX kill bit that can prevent certain applications from being invoked from a browser.

Next Page: Sign here.

Andrew cut his teeth as a systems administrator at the University of California, learning the ins and outs of server migration, Windows desktop management, Unix and Novell administration. After a tour of duty as a team leader for PC Magazine's Labs, Andrew turned to system integration - providing network, server, and desktop consulting services for small businesses throughout the Bay Area. With eWEEK Labs since 2003, Andrew concentrates on wireless networking technologies while moonlighting with Microsoft Windows, mobile devices and management, and unified communications. He produces product reviews, technology analysis and opinion pieces for eWEEK.com, eWEEK magazine, and the Labs' Release Notes blog. Follow Andrew on Twitter at andrewrgarcia, or reach him by email at agarcia@eweek.com.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel