Fighting Spyware Is Never-Ending Battle

Tech Analysis: Products and enterprises must evolve to meet new challenges.

Early adopters of anti-spyware products may focus primarily on a products ability to identify and clean spyware on the desktop, but eWEEK Labs recommends that administrators be proactive—emphasizing new practices or technologies that thwart malware threats before installation while being aware of the potential for complications that could arise in doing so.

Anti-spyware vendors are in a constant tug of war with malware writers, trying to cope with and compensate for new technologies that make malware harder to identify and eradicate. For example, the latest malware instances may use rootkits to hide their presence, self-healing mechanisms to spontaneously regenerate when threatened and active processes that try to disable resident security programs.

Because signature-based scanning and cleaning is, in essence, a reactive process, any anti-spyware program under test is unlikely to be able to identify and clean each malware instance in an enterprise network. In fact, its commonly accepted wisdom in the field that administrators may need to use a combination of products to eradicate every threat.

Administrators would be wise to examine methods of keeping spyware off the desktop in the first place. Last month, eWEEK Labs spoke with several organizations that are successfully avoiding malware by restricting users privileges on the local system—in short, they are effectively avoiding spyware by denying users the right to install it. Another tack, implementation of gateway-based detection technology, will help protect users connected to the corporate network. (eWEEK Labs will examine gateway-based anti-spyware in a forthcoming issue.)

/zimages/2/28571.gifIs system lockdown the secret weapon? Read more here.

Desktop anti-spyware vendors also are making dramatic leaps in their products ability to block spyware installation. Early blocking technologies using real-time scans that instigate scanning and cleaning as files are written to disk have proved insufficient against the latest hardened threats, but newer technologies seen from vendors including Aluria Software, Tenebril Inc. and Webroot Software Inc. are increasingly using kernel-level drivers to identify threats before they are installed.

By hooking into the kernel, these products are more effective at blocking threats because they monitor read and write commands from the operating system to the file system, identifying and eliminating threats before they are written to disk.

Unfortunately, this penetration deep into the operating system provides more opportunities for conflict with existing security solutions, such as anti-virus software, that also use kernel-hooking techniques. As more programs interact at the kernel level, there is a greater chance that the programs will conflict with one another, which could cause the system to become unstable.

/zimages/2/28571.gifClick here to read more about anti-spyware with kernel-mode features.

In past reviews, weve praised integrated solutions from McAfee Inc. and Panda Software International S.L. for their advanced ability to block spyware before installation. Combining this anti-spyware capability into a single-agent architecture on the desktop, these products and others like them are in a position to provide a more stable computing environment (even as we await further improved scanning and cleaning capabilities from these integrated systems).

By increasing the emphasis on blocking spyware before it can gain a foothold on the desktop, enterprises can also use regular scans for auditing purposes rather than as a front line of defense. To achieve compliance with regulatory mandates including the Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act, HIPAA (Health Insurance Portability and Accountability Act), and Payment Card Industry regulations, organizations will need to ensure—and demonstrate—that desktop systems are not compromised. Reports from regularly scheduled scans can provide the necessary proof, while also offering cleaning services for the occasional threat that may slip through the front line of defense.

Of course, this new role for anti-spyware defenses will require across-the-board improvements in reporting capabilities. Anti-virus and anti-spyware vendors would do well to create new report templates that are tailored to each particular set of regulations.

We predicted in anti-spyware reviews early last year that the shelf life of the stand-alone anti-spyware system is coming to an end. Customers will demand and will be better served by an integrated security solution that provides anti-virus, anti-spyware, intrusion prevention and desktop firewall capabilities, while reducing management complexity and opportunities for system conflicts.

We remain confident that this prediction will come to pass. As Trend Micro Inc., EarthLink Inc. and CA have gobbled up various anti-spyware companies during the last year and a half, the number of relevant independent anti-spyware-only vendors has dwindled. And Sunbelt Software Inc.s recent acquisition of Kerio firewall technology indicates that this anti-spyware pure play will soon produce its own integrated suite as well.

Technical Analyst Andrew Garcia can be reached at

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.