eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.
Already among the most respected names in spyware defense, Webroot Software raises the bar with Spy Sweeper Enterprise 3.0. While the most advanced rootkit detection features still need improvements in breadth and stability, the overall detection features are nonetheless miles ahead of any other enterprise-grade product available today.
Click here to read the full review of Spy Sweeper Enterprise 3.0.
2
Already among the most respected names in spyware defense, Webroot Software raises the bar with Spy Sweeper Enterprise 3.0. While the most advanced rootkit detection features still need improvements in breadth and stability, the overall detection features are nonetheless miles ahead of any other enterprise-grade product available today.
With Version 3.0, which was released in June, the SSE client agent now uses kernel-level drivers to peer deep within client operations. With this new architecture, SSE is able to conduct bare-metal disk scans, indexing disk contents while bypassing the Windows API and then comparing the results to what Windows sees to identify rootkits and any malicious payload contained within.
The new version brings SSE in line with Webroots consumer-oriented Spy Sweeper variants, which have previously featured technology a generation ahead of the enterprise editions.
With a 1,000-user license, SSE 3.0 costs an exceedingly affordable $11.99 per seat per year.
The root of the problem kweek labs tested sse 3.0 against a few sample rootkits downloaded from www.rootkit.com—including FU, FUto, AFX Rootkit 2005 and Hacker Defender—and we found surprisingly variable results.
When we used AFX Rootkit 2005 to mask the presence of both malicious and benign content on our test Windows 2000 Professional workstation, SSE 3.0 was able to detect and quarantine the hidden malicious payload. However, it did not inform us of the presence of the rootkit or notify us of the hidden benign files, nor could it tag the AFX executables. (We also tried this test using fully patched Windows XP Service Pack 2 clients, but they crashed whenever we tried to run AFX.)
F-Secures Blacklight rootkit detector, on the other hand, which is focused solely on finding—not removing—files and processes hidden by rootkits, clearly reported all files hidden in the AFX rootkit.
We also tested SSE 3.0 by using the FU and FUto rootkits to hide low-priority malicious processes.
SSE 3.0 detected and quarantined the parts of FU deemed dangerous, but our Windows XP Pro test system crashed whenever we tried to remove the offending process (in this case, zango.exe).
However, because of the client agents direct access to the disk, SSE 3.0 is able to tag files and registry keys and delete them securely the next time Windows is booted. So, despite the crash, the files and processes were removed when the system was restored after the crash.
SSE 3.0 did not, however, identify FUtos files or the payload hidden within. Webroot officials said FUto was not detected because the rootkit would not match Webroots SSE signature until we recompiled the FUto code found on www.rootkit.com. While we understand that an advanced hacker would modify a known rootkit to fit his or her nefarious needs, it seems negligent that Webroot would design its signature detection to miss the lowest of the hanging fruit—the precompiled executable included in the sample rootkit download.
During tests, SSE 3.0 performed client scans significantly faster than previous versions of SSE did (often completing scans of our uninfected hosts within 5 minutes).
Administrators should be aware that the direct disk scanning needed to perform rootkit detection will add to the amount of time it takes to perform a scan. However, we were pleased to find that we could throttle CPU usage separately for disk and memory scans, thereby limiting the impact a scan would have on a system in use.
New detections for Browser Helper Objects and ActiveX controls are included with Version 3.0 of SSE, as well as a bidirectional firewall to block communications with known malware sites and memory sandboxing to help scan compressed files before exposing them to the operating system proper.
We could control all these features centrally, applying them as part of the default scan behavior or specifying them to groups we defined within our organization. We also could dictate the users ability to interact with the client agent: We could completely hide the agent, or we could allow users to make limited or wholesale policy changes. Again, these controls could be dictated to groups we defined in the console.
Next Page: Management and architecture
TKTK
Management and architecture
With SSE 3.0, Webroot is starting to phase out Elevate Softwares DBISAM database used in previous versions of the product. Customers now can install SSE with Microsofts full SQL Server 2000 or SQL Server 2005 databases or with SQL Express 2005. While our SSE 3.0 installation using SQL Express 2005 was fairly straight-forward, we discovered that SSE 3.0 requires the database to use named pipe authentication (rather than Windows authentication). This requirement was not documented in the setup manuals.
The new database options have opened up SSE for improved reporting as well, although weve seen more robust reporting from competing solutions such as CAs Integrated Threat Management. SSE 3.0 includes several canned reports that enumerate spyware details, trends and status by host or group for a given period of time. By default, the reports are generated in PDF files for easy dissemination.
To scale signature definition delivery for larger organizations, we could install and configure Distributors on Windows-based servers or clients throughout the network. However, we were disappointed that we could not deploy Distributors via the Admin Console. We were required to manually install the package on the intended host, or we could deploy a Windows Installer .msi package via Active Directory. We then had to add the link to the Distributor in the administration console to synchronize the update directories.
Pushing the client agent to workstations from the Spy Sweeper management console could not be much easier—provided the workstation firewall is configured correctly. From the Client Install/Uninstall item under the Administration node, we simply selected the systems we wished to manage from the Network view and clicked Install. We could also install the client agent to target host names, IP addresses or IP ranges.
To push agents to client machines with firewalls configured, administrators must make sure to enable the Windows Firewall remote administration exception (via Microsofts Active Directory Group Policy or otherwise) that permits communications via DCOM (Distributed Component Object Model).
Unfortunately, SSE 3.0s Network View does not tap into LDAP to recognize or enumerate already-defined organizational structures within Active Directory, so we could not easily target deployment according to our domains Organizational Units or Groups. This also meant that we had to again organize our managed Spy Sweeper agents within Webroots management console.
According to Webroot officials, Webroot now offers a separate tool for performing a one-time import from Active Directory, but true LDAP integration wont come until Version 4.0 of SSE.
All management and reporting functions are performed in SSE 3.0s Admin Console, which is now fully Web-based. As part of the SSE Server installation process, an HTML-based Admin Console application is automatically installed on the server itself, but administrators can also manage the system via a Web browser from any host in the network, allowing multiple administrators to work simultaneously in the system.
SSE 3.0 allowed us to create multiple administrative accounts to the management console, but we were dismayed to see that we still could not assign SSE groups to administrators. Wed like to see Webroot add the ability to delegate administration to the appropriate IT person without requiring us to hand every administrator the keys to the kingdom.
Next page: Evaluation Shortlist: Related Products.
Page 4
Evaluation Shortlist
NCAs eTrust PestPatrol Provides solid defenses and pairs up nicely with the anti-virus capabilities in CAs Integrated Threat Management suite (www.ca.com)
McAfees AntiSpyware Enterprise The best of the products from the big anti-virus vendors (www.mcafee.com)
Sunbelt Softwares CounterSpy Enterprise A fine product in its own right, and Sunbelts Eric Howes is at the forefront of a movement toward better testing methodologies for anti-spyware defenses (www.sunbelt-software.com)
Technical Analyst Andrew Garcia can be reached at andrew_garcia@ziffdavis.com.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.