Shavlik NetChk Spyware, Shavlik Technologies LLCs initial foray into spyware defense, shows great promise with an easy-to-deploy architecture and in-depth manageability and control—but eWEEK Labs tests show its immature scanning and detection could stand some improvement.
Shavlik NetChk Spyware, Shavlik Technologies LLCs initial foray into spyware defense, shows great promise with an easy-to-deploy architecture and in-depth manage-ability and control—but eWEEK Labs tests show its immature scanning and detection could stand some improvement.
Shavlik NetChk Spyware, released in August, is a part of Shavliks new NetChk Protect 5.5 line, which marries Shavliks powerful, familiar HFNetChkPro patch management solution with new anti-spyware capabilities. All patch management and anti-spyware detection and cleaning can be controlled from a single management interface—an attractive option for companies leery of saddling their IT staff with additional management routines.
NetChk Spyware can be licensed separately—1,000 managed desktops cost an affordable $12.45 per workstation per year—or can be licensed with patch management services. NetChk Protect 5.5 with NetChk Spyware and patching costs $23.75 per workstation per year (for 1,000 clients). Current patching customers can add anti-spyware capabilities for $8.75 per workstation (again, for 1,000 clients).
Management is performed via a GUI that will be familiar to any user of Shavliks patching products. The GUI is comprehensive and intuitive , but a little overcrowded on the screen for our tastes. A pair of new options, the Spyware Scanning and Signature Families spyware management components, reside in the leftmost navigation box.
NetChk Spyware comes preconfigured with a scan that performs checks for threats that Shavlik has classified as spyware, malware or adware. We could also configure scans to check for NonBizWare applications—which, according to the NetChk Spyware Signature Family, includes peer-to-peer and instant messaging applications, as well as various gaming and pornography apps. Because the NonBizWare category includes applications such as Skype Technologies S.A.s Skype and Cerulean Studios Trillian, administrators should take care not to inadvertently disable a critical communication application that users may rely on.
NetChk Spyware offers some of the most robust configurability weve seen from an anti-spyware product, giving administrators granular control to prioritize and categorize threats. Out of the box, Shavlik provides a threat assessment field for each signature in the database, but administrators can take it a step further and tag signatures with their own threat assessment using the Criticality field. In addition, we could create our own signature groups of particular threats—for instance, keystroke loggers—that caused us greatest concern .
Based on these assessments and our categorizations of the most dire threats to the test network, we created customized scans to search for and eliminate our designated worst threats at frequent intervals and left more comprehensive scans of lesser threats to run overnight.
Like Shavliks patching engine, NetChk Spyware did not require us to preinstall agents on client desktops. However, the NetChk server must be able to contact clients via the Microsoft Corp. networking ports (TCP ports 139 and 445) and have the proper credentials to perform such a scan. No other configuration is necessary at the client, which makes it very quick and simple to get up and running.
NetChk Spyware offers two scan modes: network-based and dissolving services. Network-based scans rely on the server to perform the scan, which can lead to longer scan times and greater network utilization but has no lasting footprint on the client. The dissolving services mode, on the other hand, relies on the client processor to perform the scan. This expedites scans and leads to a more thorough cleaning, but it requires the included Shavlik Scheduler service to be installed on the client and the spy detection engine to be copied and run locally. This installation happens automatically as a scan job is pushed to the desktop.
NetChk Spywares scan and remediate functions are configured separately, although we could choose to automatically remediate all found items after a scan was completed. We configured several remediation templates to send the necessary notifications, to vary the amount of CPU used on the client during the job and to offer users varying degrees of control over the reboot timing when the job was finished.
Because NetChk Protect is agentless, we were concerned about its ability to block spyware from infecting a system in the first place. Up-to-date patching is obviously an important part of Shavliks strategy for avoiding spyware, but NetChk Protect offers a few protection items as well. The Protection Signature Family offers a temp-file cleaner, a Web site blacklist and an ActiveX kill bit that can prevent certain applications from being invoked from a browser.
Instead of partnering with an existing anti-virus or anti-spyware company to provide definitions, Shavlik has its own team of researchers building their signatures.
Shavlik is behind the curve when it comes to spyware research, and the detection and cleaning still need improvement. For example, in tests, NetChk Spyware successfully rooted out the WhenU and Surf Accuracy threats that have often flummoxed competing products weve seen. But cleaning of various Claria, WeatherBug and ISTbar applications was unsuccessful to various degrees, leaving several processes intact and active. And, according to Shavlik representatives, cleaning of Layered Service Provider-based threats is still to come.
And although NetChk Protect includes signatures for several keystroke loggers, it never detected Family Keylogger on one of our clients.
On the bright side, Shavlik is quickly ramping up the number and scope of available signatures. During testing, we received two very large update packages that stopped many threats that were originally unaddressed in our testbed, and were confident Shavliks anti-spyware signature base will continue to grow quickly.
McAfee Inc.s VirusScan Enterprise 8.0i with Anti-Spyware Enterprise Edition The best of the integrated anti-spyware/anti-virus products weve seen to date (www.mcafee.com)
Technical Analyst Andrew Garcia can be reached at [email protected].
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.