When evaluating anti-spyware solutions, administrators should strongly consider implementing a gateway detection and blocking solution in addition to host-based anti-spyware software. While gateway solutions come in many shapes and sizes, the spyware-blocking prowess they confer will help alleviate spyware infection rates and reduce the strain on desktop administration and computing resources.
Although gateway devices cannot clean existing infections, they can detect and block outgoing "phone home" behavior from malware that is used to transmit pilfered personal data, as well as malware attempts to update or restore out-of-date or damaged components.
Better yet, gateway devices provide much-improved blocking capabilities, denying users the chance to access spyware-ridden Web sites or to download infected packages. With a gateway device, many malware strains never have the chance to start the installation process, so theres less need to test and tax client solutions cleaning prowess.
While client-based anti-spyware software products often have their own blocking mechanisms, eWEEK Labs has found many of these products capabilities to be underwhelming or ineffective. Many of these products rely on real-time protection through hard drive scans, catching new spyware infestations only after installation has started. And once many malware strains gain a foothold, it is hard to completely eradicate them—no matter what client software is used.
During the last six months, several vendors have ramped up client blocking mechanisms through the use of kernel-level drivers. This has the dual benefit of hiding the protection from the operating system—making it harder for malware to detect and disable in-place defenses—and enabling anti-spyware products to clean malware strains that use rootkit technologies to mask themselves from the operating system. However, the impact of installing many applications at the kernel level is unclear at this time. Some evidence has surfaced that shows that anti-virus and anti-spyware applications could interfere with each other as they both start to leverage kernel-level components.
Many products now being marketed as gateway anti-spyware appliances did not get their start that way. Weve seen several types of products get repositioned as spyware defense. For example, vendors that produce Web filtering appliances, Web caching appliances, instant messaging security appliances and gateway anti-virus devices are wading into the anti-spyware arena. While not all solutions are created equal, each will provide some modicum of protection.
When evaluating gateway anti-spyware appliances, IT administrators should first examine whether the company already has some pieces in place that are upgradable to spyware defense. Introducing new appliances into the network mix always runs the risk of adding latency to network performance, so paying due diligence to whats already installed could reap immediate security and performance benefits.
Of course, gateway appliances should not be relied on as the sole layer of spyware defense. Gateway appliances have no cleaning capabilities to remove existing threats, nor can they provide protection for mobile clients as they migrate outside the corporate perimeter.