A recent report by independent US market research company Radicati, titled: "Corporate Anti-Spyware Market 2005-2009", predicts that the number of corporate users with anti-spyware tools will grow from 16 million users in 2005 to 540 million in 2009. An increase that will be invariably reflected here in Australia.
The surge in popularity of spyware has drawn debate about the actual definition of the term. Advertising companies have been threatened with litigation when anti-spyware applications detect and report their products, arguing that they are legitimate adware, not unwanted spyware.
Are the advertising companies right? Do people want adware? It all comes down to the End User Licence Agreement (EULA) -- you know, where you automatically click "accept" while installing a new application without a second thought of what it says. These legitimate adware marketing enterprises suggest that if you do not wish to have your browsing habits tracked, or receive browser pop-up notices etc, then you should read the EULA carefully before installing an application to ensure that there are no clauses that allow this kind of activity. The theory being, if a user accepts and acknowledges that they are willing to have their details/habits/information used, then the application doing so should not be classed as spyware, it is adware -- undoubtedly a tenuous assertion.
Whichever way you slice it, spyware and adware still fall into an application category where information is collected and reported back to base.
It ranges from the relatively harmless advertising/marketing information gathered about computer users' Internet browsing habits, through to the much more malicious examples where information such as banking details, credit card details, usernames, passwords, or even personal details are gathered.
The results of the use, or misuse, of information gathered by these methods can be as innocuous as browser popup advertisements, through to full-scale identity theft, credit card fraud, or stolen banking usernames and passwords.
Technically some spyware may be desirable in an enterprise environment. Several vendors have produced some capable commercial key-logging applications that enable management to monitor employees' behaviour and ensure that the acceptable usage policies are being upheld by staff members.
In our experience some vendors' anti-spyware solutions pick up these commercial key-loggers and others don't. If a hacker does their homework and discovers an organisation that uses an anti-spyware application that does not pick up certain key-loggers, all the hacker needs to do is purchase a commercial key-logger and install it on the target's PC.
Anti-spyware products fall into two separate categories: those that are ultimately separate, standalone applications requiring local administration and management, and those that support centralised and remote management functionality. Where applicable we have noted this in the product write-ups. The product write-ups also look at installation, configuration, ease of use, the updating of signature files, scanning, and reporting options.
The third anti-spyware variation, not reviewed here, is the anti-spyware gateway which is based on the principal of blocking threats at the perimeter before they have a chance to enter the network. Anti-spyware gateways can also detect, block, and isolate spyware threats on an infected internal network machine. These products can be appliance (hardware) or application (software) based.
A freeware solution, S&D has been around since the dark ages. Therefore we decided to throw it in for good measure. S&D is a client-based application that installed very quickly and easily.
S&D offers two forms of permanent protection, SDHelper to protect Microsoft's Internet Explorer and TeaTimer to protect the system settings.
A neat feature and part of the initial configuration that S&D performs is giving the operator the option of performing a complete registry backup. Next is a search for updates.
There are two modes with S&D: the default mode and an advanced mode which gives the power user options to tweak. For those with a multilingual bent there are also five languages supported which can be swapped at the click of a button.
Updates are relatively complex when compared with the competition. Updates are completed by clicking the update icon in the left hand menu and then clicking search for updates in the window to the right. A list of available updates are then presented and the operator can pick and choose which ones to download prior to clicking on the download updates icon.
Scanning is straight forward cycling through some 30,000+ threat signatures. In summary Spybot S&D 1.4 is a basic desktop anti-spyware scanner with minimum frills.
It would be particularly suited to smaller organisations that already have good antivirus and desktop security products and procedures in place but need to add anti-spyware capability.
Pest Patrol is a distributed, centrally managed product that overall is very use to use and, due to its "no-frills" approach to management, is also very easy to administer.
Installation for this product is a breeze, with all the software necessary up and running with a minimum of fuss, including Microsoft's .NET framework 1.1. Once launched, the application immediately prompts you to download and install any required updates.
Configuration of Pest Patrol is easy: most of the one-off tasks occur in the "Server Activities" tab of the application. Administrators can also manually launch scans of workstations in their domains/workgroups from the application, or schedule automatic workstation tasks according to daily or weekly plans.
Updating signature files is automatic and whenever the operator launches the eTrust Pest Patrol management console the system automatically notifies them of any available updates, but the paranoid administrator can also do a manual check for these.
Using the management console, the status of individual workstations can be viewed at a glance -- icons change for each machine depending on the status. If a threat has been detected on a particular machine, for example, a big yellow exclamation mark is displayed. From here the operator can drill down to view the logs and take action if it has not already been automatically initiated, which is a handy feature. Reporting is limited to text-based log systems which is better than none at all.
Anyone familiar with the ease of use offered by Lavasoft's traditional desktop product will feel right at home with the Ad-Axis Management console.
There is virtually nothing to do, you simply ensure that the clients are listed and schedule automatic updates and client scans. Signature file updates can be scheduled with the Ad-Axis server, and can be easily checked by using the management console.
There is no real reporting available from the management console but notifications can be set to be e-mailed once triggered.
While Lavasoft's centrally managed server/client application is well suited to enterprises, overall it shows its original desktop roots. This is not necessarily a bad thing but to our liking the product is a little too light in features and reporting and lacks things such as the ability to have multiple domain policy groups with individual control per group, and the availability of detailed integrated report generation/charts.
McAfee VirusScan was one of the easiest of all the enterprise-level applications to install. Beyond that, its initial configuration involves modifying the network driver to enable port blocking, infection trace, and infection-trace blocking. The main configuration, performed within the VirusScan console, is straightforward using a well-laid-out and intuitive interface and menu system.
There is another degree of administrative control for the product which can be found in the on-access scan properties section -- these two configuration sections enable full control and custom configuration of on-demand and on-access security controls for the machine. Several other features exist in this product, including the ability to centrally or remotely manage and administer the product. It also has the ability to perform some heuristic scanning to detect suspected viruses, and allows you to lock down system files to ensure any unknown spyware/Trojans, etc, do not gain access to write to that directory.
Technically complex, operators may find themselves initially overwhelmed by the amount of custom control they can have over the application, however, after a short time with the interfaces, this becomes quite logical and intuitive. We feel this is a good thing, as the more control you have over options the better off you are in the long run.
When it comes to updating signature files and applications, this is one of the products to use -- the user simply has to right click once on a small task bar icon and select "Update Now" from the menu. The scanning progress is very visual with a lot of information provided. Reporting summaries are also clear and concise and a log file is generated that can be viewed via the application.
If you are looking for a fully integrated desktop security solution then you would be hard pressed to go past McAfee's VirusScan Enterprise 8.0 + Anti-Spyware Module. This product is definitely on the shortlist if you are considering a complete forklift replacement of existing antivirus and anti-spyware applications.
Because it is a standalone, client-based anti-spyware solution, the Microsoft product is less easy to administer and manage in the enterprise environment. That said the installation itself was quick and straightforward.
When started for the first time the user is run through several configuration options and given the chance to do the first scan of the system. Running either a quick scan or full system scan is only a few clicks away, and the user can also configure the system to schedule automatic scans.
All of the products we tested here have provided a quick and easy way to update signature files, and the Microsoft product is no exception -- simply click on "File" and select "Check for updates" in the menu that appears. Information provided during scanning and post-scan reports are adequate and contain enough information for most operators to get by.
For a small organisation, with say less than 150 or so users, Microsoft's Anti-Spyware Beta1 application may suffice. However, as this product is still in Beta it may be better to consider more fully developed and robust products.
Installation of Spyware Doctor is straightforward, and the product prompts the user to perform a live update to bring the latest available patches and databases onto the machine. Once the update is complete the program launches and performs a full-system scan. This full scan was blazingly quick compared to some of the other products tested.
Configuration for most tasks can be found in the main menu and you can also find some settings for the "OnGuard" protection system under its own menu tree. In terms of on-access scanning, Spyware Doctor has one of the most comprehensive systems we have seen, with a variety of guards, immunisers, schedulers, and blockers -- something for anyone with a fetish for tuning and tweaking. While the tuning/configuration side of things may sound quite daunting, the out-of-the-box default settings are really quite good -- there is no need to make any changes unless a particular environment requires it.
PC Tools employs a live update system with the icon residing on the main application window -- a single click and the system will check for patches and updates. When scanning the information provided is clear and concise. The reporting function post-scan presents the operator with a clear indication of where possible threats may lurk. There is an excellent log viewer in the "Settings" menu and it also provides really neat activity reports.
For businesses with up to 150 or so employees, PC Tools Spyware Doctor 3.2 should definitely be on the shortlist. For larger enterprises, keep an eye out for the centrally managed version when it is released.
Installation is surprisingly straightforward and intuitive for what initially seems to be a very daunting application (over 326MB zipped). It can be run as a standalone unmanaged client or as a fully managed system. It includes both client and server software.
Once installed, the operator can perform a live update to bring the system up to date with the latest patches and definitions.
Using a menu configuration system is a good idea for such a complex product and this menu system proves easy to use. The left-hand menu contains a list of all the top-level options that can easily be launched. The administrator can drill further down by expanding the item requiring further configuration.
The scanning and reporting functions are integrated into one window once scanning is launched, with adequate levels of information provided including files scanned, threats found, elapsed time, the risk found, action performed, and the filename of the identified threat.
If you want a complete desktop protection application then you should definitely take a look at Symantec Client Security 3.0.
Installation is straightforward and client software can be installed on each PC in the domains requiring protection -- this is easily performed by selecting the workstation in the "My Network" section of the administrative console and selecting "Install".
Configuration is also relatively easy -- we think any experienced enterprise-level administrator will require only an hour or two with this product to be able to customise and scan systems on their network according to their needs.
The initial configuration launches a browser-based administrative console that enables the operator to select from the domains to protect. Please note that Apache Web server for Windows is installed as part of the server install so administrators with fears about "auxiliary" applications potentially punching holes in the business's security policies may need to look into this.
Updating signature files can be set to automatic in the policy control. The system, like many other applications produced by Trend Micro, is policy based. This is handy as it lets administrators set up groups of machines with specific configurations. From here, administrators can automate much of the day-to-day threat-scanning jobs, tailoring them to specific roles or groups within the organisation.
Scanning can be completed from an administration console that is browser based, a neat feature which enables administrators to access it from virtually anywhere the business's security policy will allow.
Reporting is also accessed from this console and the product has comprehensive reporting options. If your enterprise already has its antivirus and other desktop-related security controls in hand and is just looking for a powerful, easy-to-use anti-spyware application then the Trend Micro Anti-Spyware for SMB 3.0 product will be very hard to go past -- definitely one for the shortlist.
Before installation the software runs through a range of preliminary queries related to the initial configuration of the server application. Installation of this server/client application takes a little longer than some of the others, but at the end of the day this is not a task that would need to be done very often.
Configuration is handled via the administration console, enabling the operator to control the individual updates and scan configurations of the client PCs. While each client can still be allowed to initialise their own scans (should they wish), the administrator has control of definition updates and the like.
When scanning, a bar appears with the estimated time remaining, and indicators show how many spyware fingerprints are loaded and what type of items are being inspected.
While not as comprehensive as some of the other applications in this review, Webroot Enterprise Server definitely has its place within a small-to-medium enterprise, particularly where there is already a level of satisfaction with existing antivirus and desktop security policies.
For our evaluation and testing purposes we recorded how many signatures were matched (remember there could be multiple signature triggers per instance, and some may register hundreds of times for one single infection), how many individual infections the applications logged, and rationalised the results.
Our rationalisation methodology means we don't count cookies as individual infections. This discounts false positives. We then ensure that no single threat has been counted multiple times. Sometimes minor variances in the signatures can cause the application to register the same infection twice.
What to look for
The biggest disappointment of the testing was Lavasoft, which only managed to pick up one out of the nine items. The second last, surprisingly, was Trend Micro with three detections only. Microsoft, Webroot, and McAfee all came in with four detections each.
Symantec came out on top but only when running its full-system scan. It hit nine out of 10 of the installed spyware and adware programs. Its quick-scan performance was disappointing, coming in at just four detections. The problem with the Symantec full system scan was that it took more than 40 minutes to complete. Bear in mind, however, that both Symantec and McAfee are scanning for viruses as well as spyware so one would expect slightly more time to be taken. That said, 30 (McAfee) or 40 minutes (Symantec) is still a big leap from the next slowest -- Webroot at a shade under nine minutes. All other recorded times were less than seven minutes, with Computer Associates the quickest at just 45 seconds.
1. Lavasoft (smart system scan)
2. Computer Associates
3. Symantec (quick scan)
1. Computer Associates
2. Lavasoft (smart system scan)
3. Trend Micro
Accuracy in detection (out of 10)
1. Symantec (full scan) 9Specifications
2. Computer Associates 6
3. PC Tools (quick and full scans) 6 each
|Product||eTrust PestPatrol Anti-Spyware||Lavasoft Ad-Aware SE Enterprise||McAfee Anti-Spyware Enterprise||Microsoft Windows Defender (Beta)||Spyware Doctor||Symantec Client Security 3.0||Anti-Spyware for SMB||Spy Sweeper Enterprise 2.5|
|Vendor||Computer Associates||Lavasoft AB||McAfee Inc||Microsoft||PC Tools||Symantec||Trend Micro||Webroot|
|Phone||1800 999 985||+35 8 9693 2220||1800 644 646||13 20 58||9691 3576||1800 000 423||1800 642 421||800 870 8102|
|Price||From AU$30 per seat||100 licences AU$3,998||AU$19.43 per user (101-250 users)||Currently in beta testing||approx AU$39.95 per user (depends on exchange rate)||AU$68.90 per user for 100 users, with one-year gold maintenance||AU$30 per node for 5 nodes||100 seats AU$27.81 per seat|
500 seats AU$23.54 per seat
1000 seats AU$20.46 per seat
|Warranty||Can be purchased with product||14 days return right||One year, 24 x 7 telephone support||Current in beta testing||30-day money back||Technical support and upgrade insurance is provided through gold maintenance||30 day satisfaction guarantee||60 days|
|On demand scanning||Yes||Yes||Yes||Yes||Yes||Yes||Yes||Yes|
|On access scanning||Yes||Yes||Yes||Yes||Yes||Yes||Yes||Yes|
|Actions||disk scan, registry scan, memory scan, active protection||Disk scan, registry scan, real time scan||On demand scan, on access scan, user definition of unwanted programs||Disk scan, registry scan||Disk scan, registry scan||Disk/registry scan, side-affect repair, network traffic protection, protection from the loss of privacy information||Disk, registry, memory scans, foreground or background TrickleScan. CWShredder to detect and remove CoolWebSearch variants. Privacy protection tools, history cleanup utilities||Files, .INI files, registry, services, running applications|
|Central management support||Yes||Yes||Yes||Not in Windows AntiSpyware, but will be included in Microsoft client protection||No||Yes||Yes||Yes|
|Central notification/ |
|Yes||Yes||Yes||Not in Windows AntiSpyware, but will be included in Microsoft client protection||No||Yes||Yes||Yes|
|Supported OS||All Windows||Windows NT 4, 2000, XP, 2003||All Windows||All Windows||All Windows, except NT||Windows 2000 and above |
NetWare 5.1 and above
|Microsoft Windows XP Professional, 2000, 2000 Server, 2003 Server||All Windows|
Winner: Computer Associates eTrust Pest Patrol and Symantec Client Security. Once a network goes above 150 nodes the case for centralised management command and control capabilities becomes more important. CA wins here for its performance and ease of management, and Symantec for its accuracy.
Scenario: This smaller (less than 150 users) company is seeking dedicated anti-spyware. It is seeking a solution that can detect and clean up a range of malware on its machines.
Winner: PC Tools Spyware Doctor 3.0 for its ease of use, accuracy, and performance.
Editor's Choice: Symantec Client Security 3.0
It was neck and neck for the Editor's Choice Award between CA and Symantec. Had CA or even PC Tools detected more (they were both above average), they could have won, however, Symantec blitzed the field in detection which is really what you want. Note that this is at a trade-off to performance, and bear in mind that Symantec also includes antivirus, so your decision may come down to what virus scanning policy and system your business is already using.