Seventeen months after announcing the purchase of PestPatrol anti-spyware technology, CA is the first anti-virus company to meld its own technology with an acquired anti-spyware solution. Although the resulting eTrust ITM r8 solution is relatively late to market, the time CA took to meld the technologies has produced a compelling and feature-rich product.
Click here to read the full review of eTrust ITM r8.
2
Seventeen months after announcing the purchase of PestPatrol anti-spyware technology, CA is the first anti-virus company to meld its own technology with an acquired anti-spyware solution. Although the resulting eTrust ITM r8 solution is relatively late to market, the time CA took to meld the technologies has produced a compelling and feature-rich product.
eWEEK Labs tests show that IT managers might have more difficulty installing and configuring eTrust ITM (Integrated Threat Management) r8 across the enterprise than they would with competing integrated security suites, but the CA offerings solid protection; new Web-based consoles; and integrated reporting, updating and alerting definitely make it worthy of consideration.
eTrust ITM r8 costs $27 per workstation for 1,000 seats (or $13.95 per workstation for 5,000 seats). This pricing is on par with that of competing solutions from Symantec and Trend Micro and is much more affordable than McAfees integrated solution.
Although eTrust ITM r8, which started shipping in January, leverages separate detection engines for anti-virus and anti-spyware capabilities, both engines are maintained under the same overarching client agent. eTrust PestPatrols communication protocol has been rewritten to work with the eTrust Antivirus agent, so eTrust ITM r8 leverages the same reporting, logging, quarantining and updating mechanisms for both engines.
For instance, with the unified agent architecture, updates for anti-virus signatures, anti-spyware pattern files and agent components are delivered together during one update process. However, anti-virus and anti-spyware signatures remain separate files because each uses different file formats and structures. Also, with eTrust ITM r8, anti-virus signatures use the new MicroDAT File Method to deliver only differential update information, saving bandwidth and system resources.
Administrators can deploy eTrust ITM r8 agents to Windows 2000-, Windows 2003- or Windows XP-based hosts across the enterprise using the included (but separately installed) Remote Install tool. With this tool, we were able to preconfigure agents with server, update and other configuration data tailored to a particular clients needs. We also could provide a more general configuration and update the client via policy when it checked in with the eTrust ITM server for the first time.
eTrust ITM r8 offers completely Web-based management, both for the central administration console and for individual client agents. We found the various Web interfaces to be a little sluggish, with long load times as we navigated among various screens, but their layouts were intuitive and easy to use.
To organize clients within the central console, we needed to create detection groups, which automatically organize clients by subnet in a routed network.
The ITM Server discovers clients in a couple of ways: The client leverages phone-home behavior to register with the ITM Server, or the ITM Server actively discovers clients. Although the phone-home method worked seamlessly in tests, we had trouble getting discovery to behave correctly. By default, the ITM Server uses an IP broadcast for discovery, which may not be permitted across routers in the network.
We could also configure discovery to perform a sweep (which was very slow) or use a specified election over UDP Port 42508. But with a specified election, we had to make sure to configure the discovery group with a known valid host address (rather than with subnet information), which took a fair amount of time to figure out.
We configured our detection groups to automatically assign member clients to branches of the ITM Servers Organization tree, which is the structure on top of which we assigned policies. To these branches, we then applied policies—a lot of them.
Next Page: A black or white anti-spyware experience.
A Black or White
Anti-spyware Experience”>
Because the eTrust ITM r8 client includes both anti-virus and anti-spyware engines, plus the overall agent structure itself, we had to create and apply several policies to gain full protection. Active protection and scheduled scans are configured separately within the anti-virus and anti-spyware components, yet another policy is required to control agent communication, reporting and updating.
To schedule periodic anti-spyware scans, we created a policy dictating which types of scans to perform (memory, cookies, registry or common disk locations) and defined the action to take when a threat is found (report or quarantine). We could then schedule each scan to run one time or at a given frequency, as well as dictate the level of CPU usage for the scan.
To exclude specific malware strains or a family of detection types, we had to create and apply exclusion policies. We liked the flexibility that comes when exclusions are broken out from the scan policy, as we could easily configure and apply exceptions across multiple scan policies. For the exclusion policy, we could search for individual strains in the eTrust ITM r8 database or select from among 69 known threat categories as defined by CA, and we could apply them to many scan policies without needing to edit each one.
Maintaining separate policies for virus and spyware scans is unusual for integrated products; competing products rely on a single engine to perform both types of detection. We appreciated that we could easily set up different schedules for both types of scans—something that, while possible with competing products, is not as straightforward as it is with eTrust ITM r8.
In spyware detection tests, we found eTrust ITM r8s detection capabilities far from perfect but better than most competing solutions weve seen to date.
In general, spyware defense was a black-and-white experience with eTrust ITM r8—we found detected threats cleaned to our satisfaction, while other threats were missed completely. eTrust ITM r8 successfully detected and removed threats from Claria, 180solutions and WhenU, as well as WideStep Security Softwares Elite Keylogger, among others. Like every other anti-spyware solution weve tested, however, eTrust ITM r8 wasnt perfect by any means. It missed some troublesome threats to data security such as WareSight Keyloggers 007 Keylogger Spy.
For spyware blocking capabilities, eTrust ITM r8 relies on its robust signature detection library to keep malware from gaining a foothold. CA representatives argue that signature detection remains the most effective deterrent, as many spyware strains use a variety of mechanisms designed to evade heuristic blocking techniques.
While we agree that signature-based detection is the most accurate detection method and also causes the least amount of false positives, signature-based solutions are reactive and unable to cope effectively with new or unknown threats. And weve seen some vendors, such as Panda Software with its TruPrevent technology, deliver promising results with behavioral detection capabilities.
eTrust ITM r8s active protection does monitor threats in memory, and in tests we found the product able to successfully deny many malware installations before they took hold. While we were able to install some threats, those detected were not able to install at all.
Next Page: Evaluation shortlist.
Evaluation Shortlist
EVALUATION SHORTLIST
Kasperksy Labs Kaspersky Security Corporate Suite Provides industry-leading detection rates, hourly signature updates and a brand-spanking-new Admin Pack to beef up enterprise management (www.kaspersky.com)
McAfees VirusScan Enterprise 8.0i with Anti-Spyware Enterprise Edition Offers fine all-around protection and good central management but at a relatively high price point (www.mcafee.com)
Symantecs Client Security 3.0 Were still waiting for Symantec to suck it up and buy a stand-alone anti-spyware company, since its current spyware protections are well below par (www.symantec.com)
Trend Micros OfficeScan Client/Server 7.0 Interesting possibilities for multilayered cleaning with Damage Control Services, and Intermute anti-spyware integration will happen sooner rather than later (www.trendmicro.com)
Technical Analyst Andrew Garcia can be reached at andrew_garcia@ziffdavis.com.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.