When evaluating anti-spyware solutions, administrators should strongly consider implementing a gateway detection and blocking solution in addition to host-based anti-spyware software. While gateway solutions come in many shapes and sizes, the spyware-blocking prowess they confer will help alleviate spyware infection rates and reduce the strain on desktop administration and computing resources.
Although gateway devices cannot clean existing infections, they can detect and block outgoing “phone home” behavior from malware that is used to transmit pilfered personal data, as well as malware attempts to update or restore out-of-date or damaged components.
Better yet, gateway devices provide much-improved blocking capabilities, denying users the chance to access spyware-ridden Web sites or to download infected packages. With a gateway device, many malware strains never have the chance to start the installation process, so theres less need to test and tax client solutions cleaning prowess.
While client-based anti-spyware software products often have their own blocking mechanisms, eWEEK Labs has found many of these products capabilities to be underwhelming or ineffective. Many of these products rely on real-time protection through hard drive scans, catching new spyware infestations only after installation has started. And once many malware strains gain a foothold, it is hard to completely eradicate them—no matter what client software is used.
During the last six months, several vendors have ramped up client blocking mechanisms through the use of kernel-level drivers. This has the dual benefit of hiding the protection from the operating system—making it harder for malware to detect and disable in-place defenses—and enabling anti-spyware products to clean malware strains that use rootkit technologies to mask themselves from the operating system. However, the impact of installing many applications at the kernel level is unclear at this time. Some evidence has surfaced that shows that anti-virus and anti-spyware applications could interfere with each other as they both start to leverage kernel-level components.
Many products now being marketed as gateway anti-spyware appliances did not get their start that way. Weve seen several types of products get repositioned as spyware defense. For example, vendors that produce Web filtering appliances, Web caching appliances, instant messaging security appliances and gateway anti-virus devices are wading into the anti-spyware arena. While not all solutions are created equal, each will provide some modicum of protection.
When evaluating gateway anti-spyware appliances, IT administrators should first examine whether the company already has some pieces in place that are upgradable to spyware defense. Introducing new appliances into the network mix always runs the risk of adding latency to network performance, so paying due diligence to whats already installed could reap immediate security and performance benefits.
Of course, gateway appliances should not be relied on as the sole layer of spyware defense. Gateway appliances have no cleaning capabilities to remove existing threats, nor can they provide protection for mobile clients as they migrate outside the corporate perimeter.
The holy grail for the anti-spyware industry is actually a tight integration between desktop and perimeter-based defenses: An anti-spyware appliance detects phone-home behavior on a particular client and notifies the central management engine, which automatically engages the desktop component to clean that particular threat. This scenario is ideal, as less administrative time is lost identifying and cleaning threats, and fewer system resources are consumed networkwide as scheduled daily scans make way for targeted as-needed activity.
At this time, however, few vendors have the necessary gateway, client and management pieces in place to pull off this complete architecture. FaceTime Communications aims to be the first vendor to provide this level of integration—the forthcoming Enterprise Spyware Prevention Suite is slated to include Real-Time Guardian 3.1, along with FaceTimes Greynet Enterprise Manager, which provides centralized management and control over both gateway and client component activity. The suite is also expected to include a headless desktop component that can be pushed down to user machines on demand.
The trade-off with such a solution is coverage. With almost every anti-spyware product eWEEK Labs has tested, there are significant holes in spyware definition libraries. No product can catch and clean every spyware strain in existence, and some miss many strains. Enterprises will run a risk, therefore, when relying on a single vendor for tiered spyware protection: If a vendors gateway component misses a strain, it is fairly certain that its client component will, too.
On the other hand, when using different vendors for perimeter and desktop defenses, the problem becomes one of management and resource utilization. There are no standards that dictate anti-virus/ anti-spyware management, so administrators will likely have to maintain separate management consoles, logs and reports for each product used.
While management platforms such as McAfees ePolicy Orchestrator can be used to manage a few vendors products, the majority of software and devices will not be manageable in this fashion. Correlating information imported from any two systems will require significant manual effort or custom-designed tools for in-depth analysis.
Likewise, without tightly integrated and automatically correlated data, demands on system resources will remain high, as regularly scheduled scans of all desktops will remain necessary.
Technical Analyst Andrew Garcia can be reached at [email protected].
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.