How to Test Anti-Spyware Systems

In a lab environment, administrators may find it difficult to reproduce the combinations-and depth-of spyware infections that real users may experience.

eWEEK Labs installed each product we tested on a fully patched Windows 2000 server, configured with a 2.4GHz processor and 512MB of RAM. We found that the products varied in the amount of processing power needed for day-to-day operation and reporting, so larger deployments should carefully consider how many clients each server will manage.

/zimages/3/28571.gifClick here to read reviews of Sunbelts CounterSpy Enterprise, Tenebrils SpyCatcher 3.0 Enterprise and Webroots Spy Sweeper Enterprise 2.0.

In a lab environment, administrators may find it difficult to reproduce the combinations—and depth—of spyware infections that real users may experience.

Ideally, administrators should make hard drive images of the systems most heavily inundated with spyware for reproduction in the lab. However, the resulting user downtime and limited hardware availability for testing may make this difficult for many organizations. If thats the case, we recommend leveraging existing Web filtering and monitoring tools at the gateway (or preferably at the desktop, since many computers travel outside the network confines) to gauge usage patterns.

Our testbed consisted of eight clients—a mixture of Windows 2000 Professional and Windows XP Professional workstations—spread across a simulated WAN. We deployed our clients using VMware Inc.s VMware Workstation 4.5 installed on a pair of IBM eServer 325s, each running Windows 2003 Server Enterprise and configured with dual Advanced Micro Devices Inc. Opteron processors and 2GB of RAM.

We find that virtual workstations offer an excellent opportunity to isolate infections in a sandbox. Using the snapshot functionality, it is also quite easy to reset a testbed to reproduce the same environment for each product under test at a moments notice.

For an enterprise-level deployment, administrators should carefully examine each anti-spyware products impact and performance under real-world network conditions.

/zimages/3/28571.gifClick here to read more about fighting spyware in the enterprise.

To test the deployment, ongoing management and bandwidth requirements of these products in a multisite scenario, we used Shunra Software Ltd.s Shunra Virtual Network to simulate a WAN environment. With this software, we simulated a T-1 connection (1.544M bps) between our home office and a remote site, replete with variable latency and packet loss.

After completing the scan-and-clean process, we used a common free scan tool, LavaSoft Inc.s Ad-Aware Personal, for a mop-up base-line scan to determine differences in the number of traces left behind by each product under test on a subset of our test clients.

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.