Anti-Spyware Hones Searches

Tech Analysis: Vendors use a variety of new tools to sharpen anti-spyware.

In the long run, at least, eWEEK Labs believes that anti-spyware defenses are an appropriate and logical component of anti-virus security suites. Integrating spyware and adware defenses into the anti-virus platform can provide a single point of management; ease research, testing and deployment; and, ideally, scan, clean and block threats efficiently and effectively.

In previous tests, however, we found some well-known anti-virus companies integrated products were not yet up to the task, lagging well behind stand-alone solutions in effectiveness—particularly at blocking new threats from infecting a "protected" system. (A review of several anti-spyware/anti-virus products is at

But other anti-virus companies have made significant strides in the war against spyware, using new technologies—or using traditional technologies better—to keep infections off the desktop.

Panda Software International S.L.s products feature a robust signature database and TruPrevent to help avoid infection from previously unknown malware strains. TruPrevent, a behavioral analysis module, looks at actions by installed applications, rooting out suspicious or damaging behavior.

Some products, among them Eset s.r.o.s NOD32, also include Web filtering technologies to help keep users from downloading malicious code from known bad Web sites. NOD32 uses advanced heuristics that create a virtual machine in memory, which allows NOD32 to unpack or decrypt packages without infecting the underlying operating system or file system. In this way, Esets product can root out malicious code embedded in packed or encrypted files. With an integrated engine thats built for speed, NOD32 also promises the fastest scans in the industry for viruses, adware, spyware and other potentially dangerous applications.

Kaspersky Lab also uses a number of techniques to block threats. Kaspersky Labs methods include several types of heuristics, checksum technologies to avoid scanning files known to be good, and scanning of repackagers and archives.

However, Kaspersky Lab gets the biggest kudos for its signature database. Ultimately, signatures are the most accurate way to detect threats or properly clean them, and Kaspersky Lab is renowned for the speed with which it releases signatures for newly discovered threats, promising hourly updates. To reduce the impact on the network, Kaspersky engineers are committed to keeping these constant updates very small, usually in the neighborhood of 50KB each.

Batting cleanup

We brought two consumer-grade anti-virus packages into eWEEK Labs—Panda Software Internationals Panda Platinum 2006 Internet Security and Esets NOD32 Version 2.5—to test-drive their spyware defenses on a pair of infected systems. Both products are intended for home use, but each taps the same scanning, cleaning and blocking technology as its enterprise-grade sibling.

/zimages/2/28571.gifClick here to read about Microsoft anti-spyware for the enterprise.

Platinum 2006, which started shipping last month priced at $80, contains a desktop firewall, a spam filter and Web content filtering. In tests, Platinum 2006 performed extremely well at cleaning and blocking. It immediately removed the most worrisome spyware traces on our systems, including ISTbar, 180solutions and Internet Optimizer. After we performed a signature update, Platinum 2006 also found and destroyed SurfAccuracy. However, Platinum 2006 did not touch several less threatening Claria-based applications, nor did it act on WeatherBug.

Platinum 2006 blocked new infestations extremely well in tests. We were thwarted in our attempts to infect systems with 180solutions, PurityScan and Zango, among others, because Platinum 2006 blocked installation via a Web browser and removed malignant components of archives saved to the local system before installation.

With Platinum 2006, we could also record default browser settings, so if a piece of malware did manage to change the default home page or search page, we could easily restore them with the press of a button.

However, Platinum 2006 buries its scan controls, making it much easier to accept default behaviors than to customize defenses. Spyware and adware are clumped into the category of known threats, which includes viruses and the like, and we were required to globally accept a default action for the entire category.

Esets NOD32 2.5, priced at $39 for a single license, excelled at blocking spyware installation. NOD32 consists of AMon, a file system monitor; IMon, an Internet monitor for HTTP and POP3 (Post Office Protocol 3) traffic; and the NOD32 on-demand scanning engine.

IMon denied our attempts to install malware via the browser, and AMon successfully deleted known threats as we attempted to unpack and install them locally. The notification of found threats was a little more intrusive with NOD32 than with Platinum 2006, but the actual blocking action was similarly effective in both products.

Although NOD32 easily disabled processes running in memory, it was less effective at cleaning threats fully from the file system. A few 180solutions-based threats kept reappearing after reboot, and Internet Optimizer went undiscovered as well.

Unlike Platinum 2006, NOD32 did not remove items from the Add/Remove programs dialog box in Windows, even if the application was otherwise deleted.

Technical Analyst Andrew Garcia can be reached at

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.