Already among the most respected names in spyware defense, Webroot Software raises the bar with Spy Sweeper Enterprise 3.0. While the most advanced rootkit detection features still need improvements in breadth and stability, the overall detection features are nonetheless miles ahead of any other enterprise-grade product available today. With Version 3.0, which was released in June, the SSE client agent now uses kernel-level drivers to peer deep within client operations. With this new architecture, SSE is able to conduct bare-metal disk scans, indexing disk contents while bypassing the Windows API and then comparing the results to what Windows sees to identify rootkits and any malicious payload contained within.The new version brings SSE in line with Webroots consumer-oriented Spy Sweeper variants, which have previously featured technology a generation ahead of the enterprise editions. With a 1,000-user license, SSE 3.0 costs an exceedingly affordable $11.99 per seat per year. The root of the problem kweek labs tested sse 3.0 against a few sample rootkits downloaded from www.rootkit.comincluding FU, FUto, AFX Rootkit 2005 and Hacker Defenderand we found surprisingly variable results. When we used AFX Rootkit 2005 to mask the presence of both malicious and benign content on our test Windows 2000 Professional workstation, SSE 3.0 was able to detect and quarantine the hidden malicious payload. However, it did not inform us of the presence of the rootkit or notify us of the hidden benign files, nor could it tag the AFX executables. (We also tried this test using fully patched Windows XP Service Pack 2 clients, but they crashed whenever we tried to run AFX.) F-Secures Blacklight rootkit detector, on the other hand, which is focused solely on findingnot removingfiles and processes hidden by rootkits, clearly reported all files hidden in the AFX rootkit. We also tested SSE 3.0 by using the FU and FUto rootkits to hide low-priority malicious processes. SSE 3.0 detected and quarantined the parts of FU deemed dangerous, but our Windows XP Pro test system crashed whenever we tried to remove the offending process (in this case, zango.exe). However, because of the client agents direct access to the disk, SSE 3.0 is able to tag files and registry keys and delete them securely the next time Windows is booted. So, despite the crash, the files and processes were removed when the system was restored after the crash. SSE 3.0 did not, however, identify FUtos files or the payload hidden within. Webroot officials said FUto was not detected because the rootkit would not match Webroots SSE signature until we recompiled the FUto code found on www.rootkit.com. While we understand that an advanced hacker would modify a known rootkit to fit his or her nefarious needs, it seems negligent that Webroot would design its signature detection to miss the lowest of the hanging fruitthe precompiled executable included in the sample rootkit download. During tests, SSE 3.0 performed client scans significantly faster than previous versions of SSE did (often completing scans of our uninfected hosts within 5 minutes). Administrators should be aware that the direct disk scanning needed to perform rootkit detection will add to the amount of time it takes to perform a scan. However, we were pleased to find that we could throttle CPU usage separately for disk and memory scans, thereby limiting the impact a scan would have on a system in use. New detections for Browser Helper Objects and ActiveX controls are included with Version 3.0 of SSE, as well as a bidirectional firewall to block communications with known malware sites and memory sandboxing to help scan compressed files before exposing them to the operating system proper. We could control all these features centrally, applying them as part of the default scan behavior or specifying them to groups we defined within our organization. We also could dictate the users ability to interact with the client agent: We could completely hide the agent, or we could allow users to make limited or wholesale policy changes. Again, these controls could be dictated to groups we defined in the console. Next Page: Management and architecture
Click here to read Webroots State of Spyware report.