By Andrew Garcia  |  Posted 2006-09-11 Print this article Print

Already among the most respected names in spyware defense, Webroot Software raises the bar with Spy Sweeper Enterprise 3.0. While the most advanced rootkit detection features still need improvements in breadth and stability, the overall detection features are nonetheless miles ahead of any other enterprise-grade product available today.

With Version 3.0, which was released in June, the SSE client agent now uses kernel-level drivers to peer deep within client operations. With this new architecture, SSE is able to conduct bare-metal disk scans, indexing disk contents while bypassing the Windows API and then comparing the results to what Windows sees to identify rootkits and any malicious payload contained within.

Click here to read Webroots State of Spyware report.
The new version brings SSE in line with Webroots consumer-oriented Spy Sweeper variants, which have previously featured technology a generation ahead of the enterprise editions.

With a 1,000-user license, SSE 3.0 costs an exceedingly affordable $11.99 per seat per year.

The root of the problem kweek labs tested sse 3.0 against a few sample rootkits downloaded from www.rootkit.com—including FU, FUto, AFX Rootkit 2005 and Hacker Defender—and we found surprisingly variable results.

When we used AFX Rootkit 2005 to mask the presence of both malicious and benign content on our test Windows 2000 Professional workstation, SSE 3.0 was able to detect and quarantine the hidden malicious payload. However, it did not inform us of the presence of the rootkit or notify us of the hidden benign files, nor could it tag the AFX executables. (We also tried this test using fully patched Windows XP Service Pack 2 clients, but they crashed whenever we tried to run AFX.)

F-Secures Blacklight rootkit detector, on the other hand, which is focused solely on finding—not removing—files and processes hidden by rootkits, clearly reported all files hidden in the AFX rootkit.

We also tested SSE 3.0 by using the FU and FUto rootkits to hide low-priority malicious processes.

SSE 3.0 detected and quarantined the parts of FU deemed dangerous, but our Windows XP Pro test system crashed whenever we tried to remove the offending process (in this case, zango.exe).

However, because of the client agents direct access to the disk, SSE 3.0 is able to tag files and registry keys and delete them securely the next time Windows is booted. So, despite the crash, the files and processes were removed when the system was restored after the crash.

SSE 3.0 did not, however, identify FUtos files or the payload hidden within. Webroot officials said FUto was not detected because the rootkit would not match Webroots SSE signature until we recompiled the FUto code found on www.rootkit.com. While we understand that an advanced hacker would modify a known rootkit to fit his or her nefarious needs, it seems negligent that Webroot would design its signature detection to miss the lowest of the hanging fruit—the precompiled executable included in the sample rootkit download.

During tests, SSE 3.0 performed client scans significantly faster than previous versions of SSE did (often completing scans of our uninfected hosts within 5 minutes).

Administrators should be aware that the direct disk scanning needed to perform rootkit detection will add to the amount of time it takes to perform a scan. However, we were pleased to find that we could throttle CPU usage separately for disk and memory scans, thereby limiting the impact a scan would have on a system in use.

New detections for Browser Helper Objects and ActiveX controls are included with Version 3.0 of SSE, as well as a bidirectional firewall to block communications with known malware sites and memory sandboxing to help scan compressed files before exposing them to the operating system proper.

We could control all these features centrally, applying them as part of the default scan behavior or specifying them to groups we defined within our organization. We also could dictate the users ability to interact with the client agent: We could completely hide the agent, or we could allow users to make limited or wholesale policy changes. Again, these controls could be dictated to groups we defined in the console.

Next Page: Management and architecture

Andrew cut his teeth as a systems administrator at the University of California, learning the ins and outs of server migration, Windows desktop management, Unix and Novell administration. After a tour of duty as a team leader for PC Magazine's Labs, Andrew turned to system integration - providing network, server, and desktop consulting services for small businesses throughout the Bay Area. With eWEEK Labs since 2003, Andrew concentrates on wireless networking technologies while moonlighting with Microsoft Windows, mobile devices and management, and unified communications. He produces product reviews, technology analysis and opinion pieces for eWEEK.com, eWEEK magazine, and the Labs' Release Notes blog. Follow Andrew on Twitter at andrewrgarcia, or reach him by email at agarcia@eweek.com.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel