A recent report by independent US market research company Radicati, titled: "Corporate Anti-Spyware Market 2005-2009", predicts that the number of corporate users with anti-spyware tools will grow from 16 million users in 2005 to 540 million in 2009. An increase that will be invariably reflected here in Australia.
The surge in popularity of spyware has drawn debate about the actual definition of the term. Advertising companies have been threatened with litigation when anti-spyware applications detect and report their products, arguing that they are legitimate adware, not unwanted spyware.
Are the advertising companies right? Do people want adware? It all comes down to the End User Licence Agreement (EULA) -- you know, where you automatically click "accept" while installing a new application without a second thought of what it says. These legitimate adware marketing enterprises suggest that if you do not wish to have your browsing habits tracked, or receive browser pop-up notices etc, then you should read the EULA carefully before installing an application to ensure that there are no clauses that allow this kind of activity. The theory being, if a user accepts and acknowledges that they are willing to have their details/habits/information used, then the application doing so should not be classed as spyware, it is adware -- undoubtedly a tenuous assertion.
Whichever way you slice it, spyware and adware still fall into an application category where information is collected and reported back to base.
It ranges from the relatively harmless advertising/marketing information gathered about computer users' Internet browsing habits, through to the much more malicious examples where information such as banking details, credit card details, usernames, passwords, or even personal details are gathered.
The results of the use, or misuse, of information gathered by these methods can be as innocuous as browser popup advertisements, through to full-scale identity theft, credit card fraud, or stolen banking usernames and passwords.
Technically some spyware may be desirable in an enterprise environment. Several vendors have produced some capable commercial key-logging applications that enable management to monitor employees' behaviour and ensure that the acceptable usage policies are being upheld by staff members.
In our experience some vendors' anti-spyware solutions pick up these commercial key-loggers and others don't. If a hacker does their homework and discovers an organisation that uses an anti-spyware application that does not pick up certain key-loggers, all the hacker needs to do is purchase a commercial key-logger and install it on the target's PC.
To kickstart you in your search for the right anti-spyware application for your business we asked a variety of vendors to submit the product in their lineup that would best suit a company with 150 staff. We received products from eight vendors: Computer Associates, Lavasoft, McAfee, Microsoft, PC Tools, Symantec, Trend Micro, and Webroot. There are also a range of products that offer free, or free-to-try anti-spyware that can be downloaded off the Web -- one of the most popular is Spybot's Search & Destroy.
Anti-spyware products fall into two separate categories: those that are ultimately separate, standalone applications requiring local administration and management, and those that support centralised and remote management functionality. Where applicable we have noted this in the product write-ups. The product write-ups also look at installation, configuration, ease of use, the updating of signature files, scanning, and reporting options.
The third anti-spyware variation, not reviewed here, is the anti-spyware gateway which is based on the principal of blocking threats at the perimeter before they have a chance to enter the network. Anti-spyware gateways can also detect, block, and isolate spyware threats on an infected internal network machine. These products can be appliance (hardware) or application (software) based.
A freeware solution, S&D has been around since the dark ages. Therefore we decided to throw it in for good measure. S&D is a client-based application that installed very quickly and easily.
S&D offers two forms of permanent protection, SDHelper to protect Microsoft's Internet Explorer and TeaTimer to protect the system settings.
A neat feature and part of the initial configuration that S&D performs is giving the operator the option of performing a complete registry backup. Next is a search for updates.
There are two modes with S&D: the default mode and an advanced mode which gives the power user options to tweak. For those with a multilingual bent there are also five languages supported which can be swapped at the click of a button.
Updates are relatively complex when compared with the competition. Updates are completed by clicking the update icon in the left hand menu and then clicking search for updates in the window to the right. A list of available updates are then presented and the operator can pick and choose which ones to download prior to clicking on the download updates icon.
Scanning is straight forward cycling through some 30,000+ threat signatures. In summary Spybot S&D 1.4 is a basic desktop anti-spyware scanner with minimum frills.
The Pest Patrol product is essentially a basic anti-spyware application well suited to a small- or medium-sized enterprise not wanting the bells and whistles of some of the bigger, more converged, packages.
It would be particularly suited to smaller organisations that already have good antivirus and desktop security products and procedures in place but need to add anti-spyware capability.
Pest Patrol is a distributed, centrally managed product that overall is very use to use and, due to its "no-frills" approach to management, is also very easy to administer.
Installation for this product is a breeze, with all the software necessary up and running with a minimum of fuss, including Microsoft's .NET framework 1.1. Once launched, the application immediately prompts you to download and install any required updates.
Configuration of Pest Patrol is easy: most of the one-off tasks occur in the "Server Activities" tab of the application. Administrators can also manually launch scans of workstations in their domains/workgroups from the application, or schedule automatic workstation tasks according to daily or weekly plans.
Updating signature files is automatic and whenever the operator launches the eTrust Pest Patrol management console the system automatically notifies them of any available updates, but the paranoid administrator can also do a manual check for these.
Using the management console, the status of individual workstations can be viewed at a glance -- icons change for each machine depending on the status. If a threat has been detected on a particular machine, for example, a big yellow exclamation mark is displayed. From here the operator can drill down to view the logs and take action if it has not already been automatically initiated, which is a handy feature. Reporting is limited to text-based log systems which is better than none at all.
The Lavasoft installation has two components -- the Ad-Axis server, and the installation of each client application (that talks with the server on a user-defined port). Installation took less than 30 seconds for the server and clients can be done even faster.
Anyone familiar with the ease of use offered by Lavasoft's traditional desktop product will feel right at home with the Ad-Axis Management console.
There is virtually nothing to do, you simply ensure that the clients are listed and schedule automatic updates and client scans. Signature file updates can be scheduled with the Ad-Axis server, and can be easily checked by using the management console.
There is no real reporting available from the management console but notifications can be set to be e-mailed once triggered.
While Lavasoft's centrally managed server/client application is well suited to enterprises, overall it shows its original desktop roots. This is not necessarily a bad thing but to our liking the product is a little too light in features and reporting and lacks things such as the ability to have multiple domain policy groups with individual control per group, and the availability of detailed integrated report generation/charts.
As you can see from the name, McAfee's anti-spyware product incorporates antivirus among its security features -- it is all part of the push towards convergent technologies. The company is raising the stakes when it comes to integrating threat-management applications, and this product is designed as a one-stop shop for desktop protection.
McAfee VirusScan was one of the easiest of all the enterprise-level applications to install. Beyond that, its initial configuration involves modifying the network driver to enable port blocking, infection trace, and infection-trace blocking. The main configuration, performed within the VirusScan console, is straightforward using a well-laid-out and intuitive interface and menu system.
There is another degree of administrative control for the product which can be found in the on-access scan properties section -- these two configuration sections enable full control and custom configuration of on-demand and on-access security controls for the machine. Several other features exist in this product, including the ability to centrally or remotely manage and administer the product. It also has the ability to perform some heuristic scanning to detect suspected viruses, and allows you to lock down system files to ensure any unknown spyware/Trojans, etc, do not gain access to write to that directory.
Technically complex, operators may find themselves initially overwhelmed by the amount of custom control they can have over the application, however, after a short time with the interfaces, this becomes quite logical and intuitive. We feel this is a good thing, as the more control you have over options the better off you are in the long run.
When it comes to updating signature files and applications, this is one of the products to use -- the user simply has to right click once on a small task bar icon and select "Update Now" from the menu. The scanning progress is very visual with a lot of information provided. Reporting summaries are also clear and concise and a log file is generated that can be viewed via the application.
If you are looking for a fully integrated desktop security solution then you would be hard pressed to go past McAfee's VirusScan Enterprise 8.0 + Anti-Spyware Module. This product is definitely on the shortlist if you are considering a complete forklift replacement of existing antivirus and anti-spyware applications.
Just prior to this review, Microsoft's Antispyware product was renamed "Defender". Still currently in Beta version, Microsoft plans to release an updated version before the end of December, adding that it will soon be shipped as a part of Vista.
Because it is a standalone, client-based anti-spyware solution, the Microsoft product is less easy to administer and manage in the enterprise environment. That said the installation itself was quick and straightforward.
When started for the first time the user is run through several configuration options and given the chance to do the first scan of the system. Running either a quick scan or full system scan is only a few clicks away, and the user can also configure the system to schedule automatic scans.
All of the products we tested here have provided a quick and easy way to update signature files, and the Microsoft product is no exception -- simply click on "File" and select "Check for updates" in the menu that appears. Information provided during scanning and post-scan reports are adequate and contain enough information for most operators to get by.
For a small organisation, with say less than 150 or so users, Microsoft's Anti-Spyware Beta1 application may suffice. However, as this product is still in Beta it may be better to consider more fully developed and robust products.
Spyware Doctor has been well received by home users, as has this standalone client-based application for enterprises.
Installation of Spyware Doctor is straightforward, and the product prompts the user to perform a live update to bring the latest available patches and databases onto the machine. Once the update is complete the program launches and performs a full-system scan. This full scan was blazingly quick compared to some of the other products tested.
Configuration for most tasks can be found in the main menu and you can also find some settings for the "OnGuard" protection system under its own menu tree. In terms of on-access scanning, Spyware Doctor has one of the most comprehensive systems we have seen, with a variety of guards, immunisers, schedulers, and blockers -- something for anyone with a fetish for tuning and tweaking. While the tuning/configuration side of things may sound quite daunting, the out-of-the-box default settings are really quite good -- there is no need to make any changes unless a particular environment requires it.
PC Tools employs a live update system with the icon residing on the main application window -- a single click and the system will check for patches and updates. When scanning the information provided is clear and concise. The reporting function post-scan presents the operator with a clear indication of where possible threats may lurk. There is an excellent log viewer in the "Settings" menu and it also provides really neat activity reports.
For businesses with up to 150 or so employees, PC Tools Spyware Doctor 3.2 should definitely be on the shortlist. For larger enterprises, keep an eye out for the centrally managed version when it is released.
Similar to the McAfee product, Symantec shows its roots as an antivirus company, bundling its anti-spyware product with antivirus and firewall capabilities. These are not bad things provided you don't already have another preferred antivirus vendor or client firewall application. If you do you are doubling up on your protection, which in some cases can be a positive thing but it also means doubling up on software licensing and administration/maintenance overheads as well.
Installation is surprisingly straightforward and intuitive for what initially seems to be a very daunting application (over 326MB zipped). It can be run as a standalone unmanaged client or as a fully managed system. It includes both client and server software.
Once installed, the operator can perform a live update to bring the system up to date with the latest patches and definitions.
Using a menu configuration system is a good idea for such a complex product and this menu system proves easy to use. The left-hand menu contains a list of all the top-level options that can easily be launched. The administrator can drill further down by expanding the item requiring further configuration.
The scanning and reporting functions are integrated into one window once scanning is launched, with adequate levels of information provided including files scanned, threats found, elapsed time, the risk found, action performed, and the filename of the identified threat.
If you want a complete desktop protection application then you should definitely take a look at Symantec Client Security 3.0.
Trend Micro's anti-spyware product is a centrally managed server/client application that is very easy to use and quite intuitive given the relative complexity involved in most enterprise solutions.
Installation is straightforward and client software can be installed on each PC in the domains requiring protection -- this is easily performed by selecting the workstation in the "My Network" section of the administrative console and selecting "Install".
Configuration is also relatively easy -- we think any experienced enterprise-level administrator will require only an hour or two with this product to be able to customise and scan systems on their network according to their needs.
The initial configuration launches a browser-based administrative console that enables the operator to select from the domains to protect. Please note that Apache Web server for Windows is installed as part of the server install so administrators with fears about "auxiliary" applications potentially punching holes in the business's security policies may need to look into this.
Updating signature files can be set to automatic in the policy control. The system, like many other applications produced by Trend Micro, is policy based. This is handy as it lets administrators set up groups of machines with specific configurations. From here, administrators can automate much of the day-to-day threat-scanning jobs, tailoring them to specific roles or groups within the organisation.
Scanning can be completed from an administration console that is browser based, a neat feature which enables administrators to access it from virtually anywhere the business's security policy will allow.
Reporting is also accessed from this console and the product has comprehensive reporting options. If your enterprise already has its antivirus and other desktop-related security controls in hand and is just looking for a powerful, easy-to-use anti-spyware application then the Trend Micro Anti-Spyware for SMB 3.0 product will be very hard to go past -- definitely one for the shortlist.
We found Webroot's dedicated anti-spyware product very easy to learn and to use -- navigation is simple and most of the hard work has already been done before you even take it out of the box.
Before installation the software runs through a range of preliminary queries related to the initial configuration of the server application. Installation of this server/client application takes a little longer than some of the others, but at the end of the day this is not a task that would need to be done very often.
Configuration is handled via the administration console, enabling the operator to control the individual updates and scan configurations of the client PCs. While each client can still be allowed to initialise their own scans (should they wish), the administrator has control of definition updates and the like.
When scanning, a bar appears with the estimated time remaining, and indicators show how many spyware fingerprints are loaded and what type of items are being inspected.
While not as comprehensive as some of the other applications in this review, Webroot Enterprise Server definitely has its place within a small-to-medium enterprise, particularly where there is already a level of satisfaction with existing antivirus and desktop security policies.
We used an AMD Athlon 64 3400+ with 2GB RAM running Windows 2000 as a host operating system and VMware GSX Server on top of that. For each test, the VM image we used was 512MB RAM and a patched up-to-date Windows 2000 Professional install. All the testing was conducted within a single day and each package had the latest updates and definition files available applied. Testing was conducted with a range of spyware as well as adware applications. Centrally managed systems, where possible, were set to monitor a separate virtual machine.
For our evaluation and testing purposes we recorded how many signatures were matched (remember there could be multiple signature triggers per instance, and some may register hundreds of times for one single infection), how many individual infections the applications logged, and rationalised the results.
Our rationalisation methodology means we don't count cookies as individual infections. This discounts false positives. We then ensure that no single threat has been counted multiple times. Sometimes minor variances in the signatures can cause the application to register the same infection twice.
- Test 1.1 -- Accuracy, clean machine. We created clean images for each product and installed each anti-spyware application. We then ran the scans and had a look to see if anything was reported on a clean system with a fresh and patched operating system. The purpose of this was to see if any applications generate false positives out of the box.
- Test 1.2 -- Accuracy, infected machine. We created clean images for each program on test, and prior to installing the anti-spyware application we infected the machine with spyware applications and installed some adware applications. Once the anti-spyware applications were installed we ran the default scans and recorded the results, signatures detected, and instances detected. We then rationalised the results (removed false positives, excluded cookies from individual infection count, and ensured no double counting of single instances). This test will show how well the applications perform detecting spyware and adware on machines that are already infected with spyware and have adware applications installed.
- Test 2.1 -- Effectiveness. Using the same scan results of Test 1.2, we took the top three applications that had detected the most infections and instructed each one to remove everything they found in the scan from the PC. Once cleaned, we performed a scan with that application to ensure no further or residual items were found.
- Test 3.1 -- Performance clean machine. We installed all anti-spyware applications onto one clean image and ensured that all automated scanning was disabled and none of the anti-spyware applications were memory resident--this provides us with our system baseline resource usage information. We then ran the default scans recommended by the vendors and recorded the times. This test was repeated three times and the scores averaged.
- Test 3.2 -- Performance infected machine. We installed all anti-spyware applications onto one clean image and ensured that all automated scanning was disabled and none of the anti-spyware applications were memory resident. We then installed the same spyware and adware used in Test 1.2, but this time ran the default scans recommended by the vendors and recorded the times. This test was repeated three times and the scores averaged. We disabled the "Auto Clean" function of the applications to ensure we could perform repeated scans to measure the performance. We also ensured that on each pass the anti-spyware applications returned the same results.
What to look for
- Accuracy. This is key; ensure the application can detect what your enterprise sees as its biggest threat from spyware. Try to evaluate to see if resident threats are catered for as well as new incoming threats.
- Management. Smaller organisations will not be affected as much as larger organisations but take a look at your antivirus needs and you will see that anti-spyware should be closely aligned.
- Performance. This is important, especially in an organisation requiring regular scanning. The quicker the scan the less interruption staff will experience.
- Effectiveness. Test to make sure the application is capable of cleaning all instances of detected spyware from the machine, so that engineers and administrators do not waste valuable hours manually cleaning or rebuilding infected PCs.
Clean machine accuracy and performance testing
- Accuracy: Only Lavasoft and Spybot Search & Destroy picked up anything when instructed to scan a newly installed and patched version of Microsoft's Windows 2000 Professional. Both reported Alexa (adware) related items. The other seven applications in this test correctly reported no items.
- Performance: Lavasoft was the fastest followed by Computer Associates and then Symantec (for its quick scan).
Out of the six central management capable enterprise anti-spyware applications in this review (McAfee, Symantec, Computer Associates, Trend Micro, Lavasoft, and Webroot) Computer Associates was the easiest application to use and the quickest to scan (45 seconds). Its detection rate came equal second with PC Tools (six detected).
The biggest disappointment of the testing was Lavasoft, which only managed to pick up one out of the nine items. The second last, surprisingly, was Trend Micro with three detections only. Microsoft, Webroot, and McAfee all came in with four detections each.
Symantec came out on top but only when running its full-system scan. It hit nine out of 10 of the installed spyware and adware programs. Its quick-scan performance was disappointing, coming in at just four detections. The problem with the Symantec full system scan was that it took more than 40 minutes to complete. Bear in mind, however, that both Symantec and McAfee are scanning for viruses as well as spyware so one would expect slightly more time to be taken. That said, 30 (McAfee) or 40 minutes (Symantec) is still a big leap from the next slowest -- Webroot at a shade under nine minutes. All other recorded times were less than seven minutes, with Computer Associates the quickest at just 45 seconds.
1. Lavasoft (smart system scan)
2. Computer Associates
3. Symantec (quick scan)
1. Computer Associates
2. Lavasoft (smart system scan)
3. Trend Micro
Accuracy in detection (out of 10)
1. Symantec (full scan) 9
2. Computer Associates 6
3. PC Tools (quick and full scans) 6 each
|Product||eTrust PestPatrol Anti-Spyware||Lavasoft Ad-Aware SE Enterprise||McAfee Anti-Spyware Enterprise||Microsoft Windows Defender (Beta)||Spyware Doctor||Symantec Client Security 3.0||Anti-Spyware for SMB||Spy Sweeper Enterprise 2.5|
|Vendor||Computer Associates||Lavasoft AB||McAfee Inc||Microsoft||PC Tools||Symantec||Trend Micro||Webroot|
|Phone||1800 999 985||+35 8 9693 2220||1800 644 646||13 20 58||9691 3576||1800 000 423||1800 642 421||800 870 8102|
|Price||From AU$30 per seat||100 licences AU$3,998||AU$19.43 per user (101-250 users)||Currently in beta testing||approx AU$39.95 per user (depends on exchange rate)||AU$68.90 per user for 100 users, with one-year gold maintenance||AU$30 per node for 5 nodes||100 seats AU$27.81 per seat
500 seats AU$23.54 per seat
1000 seats AU$20.46 per seat
|Warranty||Can be purchased with product||14 days return right||One year, 24 x 7 telephone support||Current in beta testing||30-day money back||Technical support and upgrade insurance is provided through gold maintenance||30 day satisfaction guarantee||60 days|
|On demand scanning||Yes||Yes||Yes||Yes||Yes||Yes||Yes||Yes|
|On access scanning||Yes||Yes||Yes||Yes||Yes||Yes||Yes||Yes|
|Actions||disk scan, registry scan, memory scan, active protection||Disk scan, registry scan, real time scan||On demand scan, on access scan, user definition of unwanted programs||Disk scan, registry scan||Disk scan, registry scan||Disk/registry scan, side-affect repair, network traffic protection, protection from the loss of privacy information||Disk, registry, memory scans, foreground or background TrickleScan. CWShredder to detect and remove CoolWebSearch variants. Privacy protection tools, history cleanup utilities||Files, .INI files, registry, services, running applications|
|Central management support||Yes||Yes||Yes||Not in Windows AntiSpyware, but will be included in Microsoft client protection||No||Yes||Yes||Yes|
|Yes||Yes||Yes||Not in Windows AntiSpyware, but will be included in Microsoft client protection||No||Yes||Yes||Yes|
|Supported OS||All Windows||Windows NT 4, 2000, XP, 2003||All Windows||All Windows||All Windows, except NT||Windows 2000 and above
NetWare 5.1 and above
|Microsoft Windows XP Professional, 2000, 2000 Server, 2003 Server||All Windows|
Scenario: This larger (over 150 users) company is seeking dedicated anti-spyware. It needs a solution that can detect and clean up a range of malware on its machines.
Winner: Computer Associates eTrust Pest Patrol and Symantec Client Security. Once a network goes above 150 nodes the case for centralised management command and control capabilities becomes more important. CA wins here for its performance and ease of management, and Symantec for its accuracy.
Scenario: This smaller (less than 150 users) company is seeking dedicated anti-spyware. It is seeking a solution that can detect and clean up a range of malware on its machines.
Winner: PC Tools Spyware Doctor 3.0 for its ease of use, accuracy, and performance.
Editor's Choice: Symantec Client Security 3.0
It was neck and neck for the Editor's Choice Award between CA and Symantec. Had CA or even PC Tools detected more (they were both above average), they could have won, however, Symantec blitzed the field in detection which is really what you want. Note that this is at a trade-off to performance, and bear in mind that Symantec also includes antivirus, so your decision may come down to what virus scanning policy and system your business is already using.