Get Smart: Enterprise Antispyware

Compare 3 products that expose spyware in the enterprise

An increasing threat to business productivity, the prying eyes of spyware can expose crucial information about your enterprise or customers to the outside world. Spyware not only slows down your computer, it sends personal information to strangers without your knowledge or consent. Whereas viruses and worms infect or corrupt a single file and are relatively easy to detect and remove, spyware is much more insidious, often actually installing programs without your knowledge. Spyware is a master of disguise, masquerading as an innocuous Microsoft Outlook helper bar that lets you add emoticons, for example, while in the background monitoring your email. The information that spyware collects varies from the content of files stored on your computer, to your email contacts, to URLs for the Web sites you visit. Spyware might actually record your keystrokes, take screen shots of your computer session, redirect your Web browser to unwanted sites, or corrupt your computer.

Many security software vendors offer products to detect and eliminate spyware. In this article, I compare three standalone enterprise antispyware products and look at some of the features that you should consider before choosing a product for your business. (If you're considering combining bundled and standalone products, see the sidebar "A Drawback to Bundles" for information about a common downside to this approach.)

Testing the Products
The products in this review detect and remove only spyware—not viruses—so you aren't required to purchase a particular antivirus package to run with any of these products. Standalone products offer a stronger, more effective package than an integrated solution does because they focus solely on detecting spyware instead of trying to solve multiple problems. I've found several antivirus software vendors who claim to detect some versions of spyware with their antivirus engine, but in my experience they fall short of the standalone products.

Antispyware effectiveness depends upon the robustness of the detection engine and the accuracy and timeliness of the updates—not just for detecting new spyware but also for eliminating false positives from earlier updates. Your antispyware product should let you schedule automatic downloads of new signatures. Most companies—including those in this review—provide new signatures through a subscription service that's included in the annual maintenance fee.

I reviewed Sunbelt Software's Counter-Spy Enterprise, Trend Micro Anti-Spyware Enterprise Edition, and Webroot Spy Sweeper Enterprise. Targeted at midsized-to-large businesses with more than 50 seats, these products include enterprise features such as centralized configuration, remote client deployment and management, and reporting and alerting. (See Table 1 for a comparison of the products' key features.)

For this review, I compared product usability and effectiveness at finding and removing spyware. My tests included using the products to deploy agents, scan remote clients, and remove all found threats.

My test system was a computer running Windows XP Service Pack 2 (SP2) with all security patches installed. I loaded the system with all sorts of spyware and adware, including dialers, hijackers, and system monitors, such as keystroke loggers. The spyware I tested included abcsearch4u, 550Access toolbar, Track4Win, pinfo dialer, FindWhateverNow, CoolWeb search, Chat Blocker, Activity Monitor 2002, SpyBuddy, DialerClub, and Mysearchpage.

From each antispyware product's centralized console, I scanned the infected client to see how well the product detected and cleaned the infested system. After the initial scan, I rebooted the infected system and used the same product to scan again.

All three products disabled all spyware on the test system. Spy Sweeper detected and silently removed all infections. Counter-Spy's real-time protection lit up the console like a Christmas tree after the reboot, catching multiple attempts to reinfect. The Trend Micro product's prompt message told me to restart the client to fully clean it, hinting at Anti-Spyware Enterprise's ability to clean locked files. Although only Trend Micro's product actually prompted me to reboot, every product required several reboots and scans to fully clean the system.

CounterSpy Enterprise
Sunbelt Software's CounterSpy Enterprise provides centralized spyware scanning and real-time protection at a low price. Everything you need to manage your agents, policies, quarantine, and reports is just a few clicks away from the main screen. The Win32-based console is easy to use, but it seems geared to managing small numbers of clients and lacks some features that I expect in enterprise-class products. For example, only one user at a time can access the console through Terminal Services. And if you connect two consoles to one server, changes made at one console might not be reflected in the other.

CounterSpy manages remote agent behavior through customizable policies. You can create one or many policies and assign different agents to those policies to suit your needs. For example, you can choose more frequent scans for high-use workstations and specify a "quick" scanning policy that won't affect performance for your servers. One nice feature of CounterSpy is that it lets you choose between two types of scans, dubbed "quick" and "deep" scans. You can customize the parameters of each type of scan, such as the depth of folders to search, whether to check processes for spyware, whether to look for tracking cookies, and whether to check the registry for evidence of spyware, as well as which drives to scan.

CounterSpy shows you the many threats it can detect and groups them into more than 40 categories, such as adware, browser hijacker, dialer, and key logger. The threat database is easily accessible from the administrative console, letting you quickly research threats. The console includes a link to the CounterSpy research center, which details the threat type, description, and advice on how to handle the threat. In addition to using Sunbelt's own team of spyware researchers and a community-driven spyware threat notification network, CounterSpy shares spyware definitions with Microsoft Windows Defender (formerly Microsoft Windows AntiSpyware beta). In your policies, you can create a whitelist of acceptable, low-risk threats to your network that you deem benign or useful, such as advertising cookies that help deliver targeted, interesting ads. A standout feature of the CounterSpy UI is its data sorting and grouping, which is especially useful when viewing a lot of data, such as the threat list. Being able to categorize all threats really helps.

Like the other products in this review, CounterSpy requires that you deploy an agent on every client computer. You can choose which computers to monitor by using Active Directory (AD), browsing the network, or specifying machine names or IP addresses, then install the software using the automated push-pull installation. Alternatively, you can deploy the agents using a custom package that you install on clients manually or by using Group Policy, logon scripts, or a third-party package-deployment product.

You can also permit end-user–initiated scans, log data locally, specify whether to hide the agent taskbar icon, and determine whether and how frequently the agent should update its threat definitions and software. After installation, the agent displays a minimalist UI. When enabled, the task icon shows whether CounterSpy is currently scanning or idle. Right-clicking the icon lets you initiate a scan and reset choices you might have made in the product's Active Protection.

Active Protection is CounterSpy's near-real-time monitoring feature, which consists of many centrally enabled monitors, as Figure 1 shows. These monitors enforce an end user's ability to perform risky actions, such as installing ActiveX controls and browser helper objects and editing the HOSTS file. In contrast to the detail CounterSpy provides about the threat database, the product doesn't describe what each monitor does, forcing you to refer to the product documentation for more information.

The default action of any policy is to merely report on spyware, which lets you see what threats the product is finding. After a few scans, you'll want to increase the protection to Quarantine or Delete. The Quarantine setting moves perceived threats into an isolated repository, from which you can remove items that you later discover aren't threats. CounterSpy lets you set different actions per spyware category. For example, you can delete adware and keyloggers but quarantine browser plug-ins. Managing spyware that's in quarantine is cumbersome, however, so for a category such as cookies that generates lots of threats, you'll want to bypass the quarantine and use the Delete setting.

CounterSpy Enterprise includes seven prebuilt reports that you can customize by date. You need to be careful interpreting the data because the reports seem to show multiple occurrences of unique threats found over a period of time. Let me explain what I mean. If you scanned a computer 10 times and each scan showed the same threat, the reports would show 10 instances of that threat, which is misleading. I'd expect reports to show that threat just once. CounterSpy uses Crystal Reports to generate the reports, so you get additional features such as drilldown. You also can export reports as an Adobe PDF file, Microsoft Excel spreadsheet, or Microsoft Office Word document.

One feature CounterSpy lacks is a live dashboard that displays the current state of spyware in your network. A live dashboard lets you take direct action or even override a policy setting—to quarantine a discovered threat, for example, or delete a quarantined item from a past scan. CounterSpy also lets you select multiple items in some but not all cases, such as when cleaning out the quarantine. Although manageable for smaller networks, these little annoyances become magnified in enterprise deployments.

CounterSpy Enterprise 1.5

PROS: UI makes configuration and scanning a snap; supports AD for getting lists of clients; easy client installation
CONS: Lack of a dashboard makes it difficult to get an overall assessment after a scan; reports accumulate threats over multiple scans, which can be misleading; cumbersome quarantine management
RATING: 3.5 out of 5
PRICE: $1800 for 100 seats, $11,000 for 1000 seats.
RECOMMENDATION: A good pick for enterprises on a budget.
CONTACT: Sunbelt Software * 888-688-8457 *

Trend Micro Anti-Spyware Enterprise Edition 3.0
Systems administrators will feel right at home managing the Trend Micro Anti-Spyware Enterprise Edition (ASEE) infrastructure, which uses the familiar Microsoft IIS or Apache Web server service as its front-end application server and a MySQL back-end database. The use of these technologies eases integration into larger companies that are already familiar with them.

Small offices or gadget-happy administrators might prefer the granular features found in other products, but administrators seeking a solid "set it once and forget it" product will find ASEE appealing. Although ASEE is a standalone product, it snaps into Trend Micro's Control Manager enterprise framework. One drawback is that ASEE can provide certain ancillary functions, such as alert notification, only through the Control Manager framework.

Installation takes just a few minutes, after which you can begin to create policies, manage clients, and start scans, all from a Web browser. Using a Web browser means that you can run the administrative console from anywhere in your network, but ASEE's Web application feels dated compared with the UIs of the other products in this review. For example, every click on an item refreshes the browser and slows navigation. I also missed the ability to open shortcut menus by right-clicking and to drag and drop items.

Client behavior is determined by policies that you create. You can specify how the client should be installed and updated, define the scan type and when the scan should run, and specify whether threats should be automatically removed. ASEE lets you define one type of scan per policy—quick or full—and schedule that scan to run once or many times during the week as well as at startup. You can manually invoke a scan anytime, and you can remove threats with the click of a button. After a scan, you can create a whitelist of threats that you don't want ASEE to remove.

The My Enterprise Network tab in the administrative console presents a filterable list of servers protected by ASEE and shows your network status at a glance, including clients and threats. After a scan finishes, this tab lists in bright red the number of threats found. Drilling into the details is easy.

Click Clean All Threats, and ASEE will instruct the clients to remove spyware according to the options specified in the policy, such as whether to exclude certain spyware or to conduct a full or quick scan. If you mistakenly remove a threat that turns out to be a necessary cookie or application, you can undo the cleaning activity by restoring the system to a previous checkpoint. The restore doesn't list the specific pieces of spyware that were removed, but instead provides a timeline of scan sessions to choose from, which doesn't give much insight into the threats removed by each scan.

Trend Micro calls ASEE's real-time spyware prevention the Venus Spy Trap (VSP). The VSP prevents spyware from being run or installed. You can configure VSP centrally to allow, deny, or let the user choose whether to run an executable whose signature matches a spyware threat, but there are no configuration options beyond that. The footprint of the client is small, and it's invisible to the end user. The only evidence of a client is a process running in Task Manager and a log of activity in a Trend Micro-supplied folder. All management tasks, such as initiating scans, must be done from the administrative console. When cleaning a system, the client will occasionally prompt for a restart, which is necessary for removing some spyware. The other products in this review don't prompt for a restart even though it might be necessary to fully remove the spyware.

ASEE reporting is minimal: Four Java-based reports show a chart of current threats, a list of current threats, threats that have been cleaned, and a list of detected domains. Figure 2 shows the report of cleaned threats. These reports show the spyware in your environment since the last scan and resemble a dashboard, but without drilldown capability. ASEE's reporting interface also provides access to an event log showing the scan and event history of every client. The Power Search button helps filter the prodigious list of event entries.

A very cool feature is the automatic installation, which regularly polls the domain controller (DC) for new computers and automatically pushes the client to those it discovers. This feature means that you don't need to monkey around with external installation methods. Using the ASEE administrative console, you can also browse the domain, add clients to the database, then deploy the clients. However, ASEE doesn't create custom deployment packages for manual or scripted deployments. Instead, you must configure a generic installation package with server parameters, such as the ASEE server's IP address, and manage each license separately. This behavior makes remote deployment to standalone workstations difficult compared with other products in this review.

Trend Micro Anti-Spyware Enterprise Edition 3.0

PROS: Once you configure it, you can fire up the product and forget it; lightweight browser-based console means you can access it from anywhere in your network
CONS: No feedback at the client level about what's happening in the background; few server-configurable client options; Web UI lacks sophistication
RATING: 4 out of 5
PRICE: $1645 for 100 machines; $9450 for 1000 seats
RECOMMENDATION: Choose this product if you want a solid scanning and remediation engine and don't need detailed reports or granular client configuration options.
CONTACT: Trend Micro * 877-268-4847 *

Webroot Spy Sweeper Enterprise
Webroot Software's Webroot Spy Sweeper Enterprise includes it all: a dashboard that lets you quickly assess the state of spyware in your organization; scheduled sweeps; automatic protection through Smart Shields; a full, centrally managed client; useful reports; and command-line tools that let you extend the product through scripting.

The administrative console runs as a Web service, so you can access it from any computer in your network, but it doesn't look like a typical Web page. The interface is beautiful and well organized. A glance at the dashboard shows you neglected scans, which Spy Sweeper calls sweeps; out-of-date definitions; current infections; and a list of the top spyware threats in your network. It's too bad that you can't drill into these dashboards, but you can export the data as a comma-separated value (CSV) file for inclusion into other tools. The navigation pane uses a Microsoft Management Console (MMC)-like UI, as Figure 3 shows, so administrators will immediately feel at home. The administrative console also provides plenty of feedback about what it's doing. For example, during sweeps and other activities, Spy Sweeper updates a progress bar and item count so you know exactly what's happening and when scans finish.

Deploying clients is straightforward, but from the administrative console you can deploy them only to computers that can be reached using NetBIOS, which might not include every computer in your network. You can also deploy the client through Group Policy, directly from a share, or manually, by running the client installer on every computer via a logon script.

Spy Sweeper manages different client configurations through membership in groups that you set up. For each group, you can configure how long to keep individual categories of threats in quarantine, designate benign threats for a whitelist, initiate sweeps, and configure Smart Shield options. By default, Spy Sweeper quarantines files for 30 days, then automatically deletes them. This default configuration gives you a buffer in case the product removes a file or setting that you actually need, but doesn't require you to manually remove each threat.

You can configure most of the client-facing features centrally using the administrative console, but you can also allow end users to tweak those settings if you choose. At the group level, you can define a scheduled scan and configure how Spy Sweeper behaves at system startup—for example, whether it should retry a missed sweep, delay the scan start time, or scan only spyware-prone folders. In addition to making Spy Sweeper scan drives, folders, memory, and the registry, you can configure it to stay invisible, show a tray icon, or pop up during a scan. When visible, the full-featured client lets you see how a local installation is configured and even lets you change the configuration on the fly. Many administrators will choose to prevent end users from changing the configuration, but Spy Sweeper includes a neat feature that lets an administrator or Help desk technician override that restriction with a keystroke and a password entered at the client. This instant access to the client makes troubleshooting a local problem quick and easy.

Spy Sweeper's Smart Shields provide real-time client protection that prevents spyware from affecting various components of the system. For example, in addition to blocking ad sites and spyware installation, Spy Sweeper provides shields to protect memory, alternate data streams, the HOSTS file, and startup programs. End users might not be aware of the shields, but if users inadvertently try to install spyware, the shields silently prevent it.

Spy Sweeper runs in a remarkably functional Web browser. For example, you can drag and drop any user you create onto different objects to specify various types of notification, sending errors, warnings, and information to one email address and spyware alerts to another. Similarly, you can right-click objects to display additional menus, and you can select multiple objects using the Shift or Ctrl key. Spy Sweeper feels like a robust application even when run from a remote computer using only a browser. Additionally, all administrative actions are logged and kept for a configurable period of time, making it easy to audit the activities of multiple administrators.

Spy Sweeper includes nine built-in reports, such as spyware trends, top spies, infection status, spyware detail, infected machine summaries, and history, displayed as screen charts and PDF files. The product also includes several command-line tools suitable for running reports via batch files or Windows scheduled tasks.

The Best of the Three
Choosing a standalone spyware solution means that you'll likely need to deploy another client onto your desktop systems, but the features available in a standalone product are often more robust than those in an integrated solution. For my money, the best of these three enterprise antispyware applications is Webroot Spy Sweeper Enterprise. Its mix of granular features, real-time defense, a full client interface, and dashboard reporting—and its inclusion of external command-line tools—makes Spy Sweeper stand out.

Webroot Spy Sweeper Enterprise 2.5.1

PROS: Rich UI; well thought-out features; command-line tools extend the product beyond the console
CONS: Expensive
RATING: 4.5 out of 5
PRICE: $2077 for 100 seats; $15,280 for 1000 seats
RECOMMENDATION: I recommend this product over the others for its rich configuration, solid scanning and real-time protection, and flexible remediation options.
CONTACT: Webroot Software * 866-612-4227 *

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.