While dedicated anti-spyware companies struggle to ramp up the underlying management tools that enterprises require to address the escalating spyware scourge, eWEEK Labs tests show that anti-virus vendors are failing the marketplace by providing combination solutions long in integration and management capabilities but decidedly subpar when it comes to finding and permanently destroying spyware.
The appeal of an integrated anti-virus and anti-spyware solution is undeniable—promising simplified management and reporting for virus- and spyware-based threats, a single agent and policy to deploy to client workstations, and integrated delivery of signature updates. All of this would significantly ease administrative burden—if the scanning and cleaning were up to snuff with stand-alone anti-spyware software.
eWEEK Labs invited three leading anti-virus vendors to submit for review enterprise-grade platforms with integrated anti-spyware capabilities. On the following pages, we review the spyware scanning and cleaning, ongoing management, deployment, and reporting capabilities of McAfee Inc.s McAfee VirusScan Enterprise 8.0i with the optional McAfee Anti-Spyware Enterprise plug-in, Symantec Corp.s Symantec Client Security 3.0 and Trend Micro Inc.s OfficeScan 7.0 Client/Server Edition.
While these products underlying management and distribution tools are effective and easy to use over a large network, we were not entirely satisfied with their spyware defense and cleaning capabilities. Only McAfees VirusScan Enterprise 8.0i suite is worthy of consideration as the sole anti-spyware solution on the corporate desktop at this time.
Exemplifying our dissatisfaction is the inability of these products to eradicate Claria Corp.s family of behavioral marketing applications to our satisfaction. According to Webroot Software Inc.s Q1 2005 State of Spyware report, Clarias GAIN applications are the second-most-common adware programs detected in Webroots online scans. Despite Clarias claims regarding the legitimacy of its software (and Microsoft Corp.s recent downgrade of its Claria threat assessment), it is highly unlikely that Claria software has any role whatsoever on the corporate desktop.
Administrators need and should expect their anti-spyware products to completely tackle the problem. Unfortunately, none of the products reviewed here met that expectation. Trend Micros OfficeScan 7.0 and McAfees VirusScan Enterprise 8.0i each removed Clarias Precision Time component and several other traces yet left Date Manager alive and active. Symantec Client Security 3.0 couldnt accomplish even that much, leaving Precision Time running.
Through threats to security, system performance and worker productivity, spyware has leapt to the forefront of many IT administrators minds within the last year, but anti-spyware defenses are still in their toddler stage. We have no doubt that these vendors will improve their anti-spyware capabilities—through research, development and acquisitions—in the near future. Signifying this, Trend Micro recently acquired anti-spyware vendor Intermute and last month released a stand-alone, enterprise-grade anti-spyware platform, with plans to integrate the technology into OfficeScan in the near future.
Unfortunately, at this time, it is best to consider these products as intriguing baby steps in the war against spyware—addressing the core security concerns but leaving system performance and worker productivity as targets to address down the road.
Pricing for the three products is fairly disparate, but each price quoted includes the costs for management servers, consoles and reporting/logging tools. Trend Micros OfficeScan 7.0 costs $26.97 per user for 1,000 users, while Symantec Client Security 3.0 costs $33.90 per user for 1,000 users. McAfees VirusScan Enterprise 8.0i with the optional anti-spyware plug-in costs $41.94 per user ($29.54 for VirusScan Enterprise 8.0i and $12.40 for the Anti-Spyware Enterprise module).
In addition to its significantly higher price, VirusScan Enterprise 8.0i lacks a complete integrated desktop firewall. (Symantec Client Security 3.0 and OfficeScan 7.0 include full desktop firewalls, while VirusScan Enterprise 8.0i has limited firewall functions.) However, VirusScan Enterprise 8.0is vastly superior anti-spyware detection and cleaning capabilities, combined with the best management and reporting tools among these products, make it the only integrated solution we can recommend as a front-line anti-spyware defense.
eWEEK Labs tested each product on a series of Microsoft Windows XP Professional- and Windows 2000 Professional-based hosts, each patched at slightly different levels. To ensure repeatability of tests across products, we installed our clients on virtual machines using VMware Inc.s VMware Workstation 5.
We infected some clients with known adware threats weve commonly run into on user desktops. We infected others with easily obtainable free system monitors (such as keystroke loggers) or by trawling coupon, warez and other questionable sites. We then took snapshots of each client before anti-virus software installation to ensure that each anti-spyware solution faced the same threats.
We deployed our clients in three separate networks: two primary offices connected via a T-1 (1.544M bps) link simulated using Shunra Software Ltd.s Shunra Virtual Enterprise, and a remote office connected via ADSL (asymmetric DSL) and an IP Security VPN.
At each primary office, we installed a local signature repository for each of the three products tested to avoid updating many clients directly over a WAN link.
Each vendor we worked with refers to spyware differently: McAfee uses the term Potentially Unwanted Programs, or PUPs; Symantec refers to security risks; Trend Micro uses the classification of spyware/grayware. No matter what the nomenclature, each product integrates spyware detection and cleaning directly into its respective anti-virus engine. Therefore, administrators dont need to deploy multiple management systems or client agents, nor will they need to define separate scanning policies. Spyware signature updates are delivered integrated—or at least simultaneously—with anti-virus updates.
Because spyware detection necessitates a large spike in the number of signatures scanned, we worried that scan times or usage of system resources would spike dramatically. In tests, however, these fears were not borne out. OfficeScan 7.0s and VirusScan Enterprise 8.0is full virus and spyware sweeps were generally completed within 10 to 15 minutes on all our test machines, while the Symantec Client Security 3.0 scans generally took about 20 minutes.
To their credit, all the products effectively identified and disabled what we considered the most serious security threats in our testbed, a series of keystroke loggers. Symantec Client Security 3.0 and OfficeScan 7.0 disabled and removed each logger when first scanned, while VirusScan Enterprise 8.0i identified each instance on first scan and then removed those instances after we rebooted each affected client and performed a second scan.
Overall, we found that VirusScan Enterprise 8.0i generally provided the most complete spyware identification and cleaning capabilities. We could decide which types of malware—or any potentially malicious application—we wished to scan for, including spyware, adware, remote admin tools, dialers and password crackers. From the client, we could also initiate in-depth scans of the Registry or scans to look for tracking cookies. As with the keystroke loggers, VirusScan Enterprise 8.0i removed most threats in our testbed on the second scan—after a first scan and reboot ensured the malicious code was not active at clean time.
VirusScan Enterprise 8.0i also provided the most complete spyware-blocking capabilities of all the products we tested, denying our attempts to install Claria, PurityScan and one form of CoolWebSearch before they gained any traction on our test system. Symantec Client Security 3.0 and OfficeScan 7.0, on the other hand, allowed us to install these applications and then caught the offending components of these programs via continuously running active scans.
What OfficeScan 7.0 claims to clean is a bit of a mystery. Unlike with the other products, administrators can use OfficeScan 7.0 only to enable or disable spyware/grayware detection by the integrated Damage Cleanup Services—but theres simply no way to target scans for particular classes of threats.
OfficeScan 7.0 will identify tracking cookies, though, which can severely ratchet up the number of threats found. However, because OfficeScan 7.0 does not allow administrators to target scans for specific threats, we could not disable cookie detection while continuing to scan for other spyware. Trend Micro representatives provided a patch that allows the log to ignore cookie findings.
We found Symantecs spyware-cleaning capabilities, built into the AntiVirus Corporate Edition client component of Symantec Client Security, to be the weakest reviewed here. Symantec Client Security 3.0 provides the flexibility to allow administrators to set different actions according to the threat found (such as adware, dialers, spyware and trackware), but the product will not scan for tracking cookies. The softwares ability to scan and clean the Registry pales in comparison with the other products as well, leaving many obvious threats in obvious places, such as the HKLM Run key.
To top it off, we found several of our test clients could not complete a full scan of the infected host without the scanning engine crashing. Indeed, Client Security 3.0 essentially necessitated running scans of heavily infected systems in Windows Safe Mode—which greatly amplified our administrative burden and still did not adequately disable many traces.
With each product we tested, we noticed some of our clients kept alerting for threats that we verified had been deleted during earlier cleaning attempts. This indicated that unknown components remaining on the infected system were attempting to rebuild a known threat. While disabling and removing malicious code and active processes are important, each product tested could stand to improve cleaning signatures to remove the components that allow threats to regenerate.
For instance, OfficeScan 7.0 was the only product to effectively stifle a nasty bit of malware that hijacked one systems desktop, turning it into an Active Desktop Web search engine and blocking us from accessing desktop management tabs. While Symantec Client Security 3.0 and VirusScan Enterprise 8.0i were unable to deal with this problem at all, OfficeScan 7.0 restored the desktop and our configuration controls—until the next reboot, when the problems reappeared.
All three products also failed to properly clean one system infected with an LSP (Layered Service Provider)-based threat, which tightly wove itself into the clients TCP/IP stack. Both Symantec Client Security 3.0 and VirusScan Enterprise 8.0i detected the infection and deleted an offending DLL—which resulted in a crashing wave of error messages and a nonfunctional network connection after we rebooted the client. OfficeScan 7.0, on the other hand, failed to identify the threat at all, which sadly was a preferable outcome, all things considered.
McAfee and Trend Micro representatives were surprised by these results, as each company claims to identify and clean many LSP-borne threats. Symantec representatives promised an improved repair engine late this quarter to address LSP-based malware.
Each product we tested provides free enterprise management platform components bundled with client licenses. These platforms allow mature and robust centralized administration, policy control and logging over anti-virus and anti-spyware components.
On the whole, we preferred McAfees ePolicy Orchestrator 3.5 because of its intelligent design and simplified client distribution, with ties to Active Directory for organizational structures, and advanced reporting capabilities.
We deployed ePolicy Orchestrator 3.5 server in the data center of our main network, and we could configure multiple management consoles as front ends to the server. From the console, we could push deployment of a signature and configuration policy repository to a server in the other office to minimize bandwidth utilization for clients remote to the ePolicy server. We could also push the ePolicy agent to clients from the console, using directory structures culled from Active Directory to define groups of managed hosts in ePolicy Orchestrator 3.5.
To update signatures or add optional components (such as the Anti-Spyware module), we added components to the central repository; the components could then be replicated to other repositories and delivered to clients on demand or on a scheduled basis.
With the Symantec offering, clients report to central servers, with configuration and scanning policies applied on a per-server, per-group or per-client basis. We deployed policy servers at both primary offices, although we also could have chosen to deploy a Live Update server in the second location instead. Each server and all clients are managed via the SSC (Symantec Security Center) application, which can be installed on multiple computers.
Symantecs primary update vehicle is LiveUpdate, which can be configured to update from Symantecs servers at specified intervals. Were not wild about LiveUpdates practice of releasing signature updates only on a weekly basis (unless new critical threats are afoot), but administrators wishing for daily signatures can create a script to automate Symantecs Intelligent Updater update process instead.
We also deployed separate OfficeScan 7.0 servers at each primary network site. Unlike the other products, which use management GUI applications, OfficeScan 7.0 offers an integrated Web console for each server—installed atop Microsofts IIS (Internet Information Services) or Apache 2.0. A separate central management console is also available, but we were not able to test it in time for this review.
For sites wishing only to install a signature repository at remote sites, OfficeScan 7.0 let us designate a client as a repository, and we could adjust deployment policy for remote-site clients to look to this repository client for updates.
Deploying client software via the OfficeScan Web console was sometimes tedious, requiring us to provide administrative log-in credentials for each host to which we wished to push software, instead of allowing us to set a universal management password.
Each product we tested includes in-depth logging functions that detail system events and detection history, and the logs may be accessed from the management console or directly from the client agent, if permitted. We found that each products logs contained detailed accounts of scan histories, threat detection histories and records of the action taken when threats were identified.
McAfees VirusScan Enterprise 8.0i, however, is the only product that includes a true reporting engine. From ePolicy Orchestrator 3.5, we could pull a vast array of filterable reports with drill-down infection details, top-10 reports and other high-level reports. We could also export these reports to a variety of file types for further dissemination.
Each products logs and reports pointed to its respective vendors Web site for in-depth descriptions, technical details and manual removal processes for threats found on our infected systems.
We preferred Symantecs Web site, with its impressive details and breadth of coverage. We found that both the McAfee and Trend Micro threat encyclopedias lacked details about many spyware threats and provided bare-minimum threat assessment or no information at all. Documenting spyware threats must be a tedious and time-consuming endeavor, but, given the spotty cleaning record these products displayed, more information is definitely required.
Integrated anti-virus/anti-spyware solutions
McAfees VirusScan Enterprise 8.0i with Anti-Spyware Enterprise module Good blocking capabilities, decent cleaning routines and solid all-around management (www.mcafee.com)
Panda Softwares EnterpriSecure with TruPrevent Increased emphasis on technology to block unknown threats before signatures are available (www.pandasoftware.com)
Dedicated anti-spyware solutions
Computer Associates International Inc.s eTrust Pest Patrol Anti-Spyware Corporate Edition Good spyware defenses but not yet integrated into CAs other security platforms (www.ca.com)
Technical Analyst Andrew Garcia can be reached at [email protected].
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.