Spyware is a growing concern. To address that concern, you need to know how to defend your systems and the types of antispyware solutions available so you can choose which type best fits your needs. It's also helpful to know about some of the vendors that currently provide centrally manageable antispyware solutions. (If you're unfamiliar with what spyware is, see the Web-exclusive sidebar "The Scoop on Spyware," http://www.windowsitpro.com/windowssecurity, InstantDoc ID 47323.)
Common Sense Defenses
Defending against the infiltration of spyware can be achieved by educating users and by implementing antispyware solutions. Because spyware is similar to viruses, Trojan horses, and worms, you prevent it by using the same common-sense techniques. Users should be leery of unknown third-party applications, no matter how appealing those applications are. They should also be suspicious
of unfamiliar Web sites, particularly those that force the use of JavaScript, ActiveX, and other forms of Web-based controls, because those technologies can easily be used to install spyware. And because many email clients have built-in functionality to render and display HTML-based content, users should be wary of all unsolicited email.
Some system behavior might be a sign of spyware infiltration:
You should tell users to report such anomalies to the appropriate administrative staff for closer inspection.
Basic Differences in Antispyware Solutions
There are three basic ways that vendors choose to detect and remove spyware. Antispyware solutions work by performing active real-time scanning, passive scanning, or a combination of both. Real-time scanning prevents spyware infiltration by inspecting content as it arrives at a network gateway or internal computer system. You can think of active scanning as a proactive defense. Passive scanning is the process of scanning a system to determine what it already contains. The scanning is performed through a scheduled task or manually initiated. You can think of passive scanning as a reactive defense. Both active and passive scanners typically rely on signature databases, which is similar to the way antivirus solutions work. Such solutions might also rely on specialized detection methods, such as detecting filenames or registry keys commonly used by spyware.
Some antispyware solutions use methods to detect the potential behavior of various types of content. Behavioral examination is a proactive defense that's typically performed in real time as content passes through a filtering system. For example, the solution might examine scripts to determine whether they try to execute known exploits or perform suspicious operations, such as accessing the registry, accessing system files, or copying files. The solution might examine content to determine whether it contains suspicious files, such as known malicious DLLs or executable files. Although most antispyware makers use the pattern-matching method (based on signatures, filenames, and registry keys), behavioral-examination systems can be equally effective.
Gateway Based vs. Host Based
The placement of antispyware solutions is similar to the placement of antivirus solutions. You can place them at gateways or on hosts, such as servers and desktop computers.
Solutions placed at the network border protect your intranet by stopping infiltration of spyware before it can reach servers and desktop computers. Gateway-based solutions are typically much easier to manage because you undoubtedly have fewer gateways than you do servers and desktop computers. Another advantage of gateway-based solutions is that they perform active scanning, which means spyware can be eliminated before it reaches machines in your internal networks. Gateway-based solutions are available as software only. You provide the hardware or network appliance.
Many security solution providers have integrated antispyware functionality into their existing solutions. For example, vendors that provide antivirus, content filtering, intrusion detection, and firewall solutions now offer antispyware features as an add-on service or a standalone solution. Keep in mind that as with any security-related situation, an all-in-one solution presents a potential single point of failure. If a problem arises in that solution, it might have wide-ranging effects on your overall security.
If your budget permits it, you should consider creating a multilayer defense that uses solutions at the gateway, server, and desktop levels. Also consider using solutions from two or more vendors because doing so can provide a much higher rate of spyware detection. One antispyware solution might be able to detect spyware that another solution can't detect.
Even with centrally managed gateway-, server-, and desktop-based antispyware solutions in place, you should also consider keeping copies of some popular free standalone tools to use in the event that that your centrally managed solutions aren't effective at detecting and removing a particular type of spyware. That situation could arise when new forms of spyware penetrate your defenses before your antispyware vendor has created a way to protect against it. Two of the more popular standalone tools are Spybot Search & Destroy (http://www.safer-networking.org/en/download) and Lavasoft's Ad-Aware SE Personal Edition (http://www.lavasoftusa.com/ software/adaware). Both tools are very effective and free.
Although I've never seen an instance where spyware can't be removed, keep in mind that it could certainly happen. In that case, you'd have to completely rebuild the affected system. Having a recent backup or a standardized system image would minimize your time and effort toward recovery, so don't overlook these failsafe measures.
Choosing a Solution
Choosing a solution can be a daunting task, especially since there are a large number of possible choices. An easy way to narrow the field is to decide whether you want a single-vendor or multiple-vendor solution and whether you want a software-based solution or an appliance-based solution. Another consideration is whether you prefer a solution from one of your existing vendors. For example, if you already have antivirus, intrusion detection, and firewall solutions in place, consider checking with your vendors to see whether they also provide spyware protection. It's highly likely that they do, which could make implementing your antispyware solution much simpler.
If you want to use a specialized solution designed solely to protect against spyware,Table 1, page 14, shows nine possible solutions. A couple of these products offer added value such as Trojan horse detection and keystroke logging. If you use Microsoft Internet Security and Acceleration (ISA) Server, GFI Software's WebMonitor for ISA Server might be a good choice for you because it integrates with BitDefender solutions to help quarantine spyware.
If you want a more versatile solution that filters many different kinds of content and performs other security-related tasks (e.g., URL blocking, bandwidth management, filtering of ActiveX controls and scripts), take a close look at Blue Coat Systems' ProxySG series, Citadel Security Software's Hercules Enterprise Vulnerability Management Suite, CyberGuard's Webwasher CSM Suite, Finjan Software's Internet 1Box, LANDesk Software's LANDesk Security Suite, MicroWorld Technologies' eScan Enterprise Edition, Prevx's Prevx Enterprise, Shavlik Technologies' NetChk Spyware, SonicWALL's PRO series, and Websense Enterprise.
The only vendors I currently know of that provide appliance-based solutions are Blue Coat Systems, Finjan Software, Fortinet, SonicWALL, and Symantec. Each of these appliances guards against more than just spyware.
According to Blue Coat Systems, the ProxySG series guards against spyware, scans for viruses that originate over Web traffic, and provides control over IM clients and peer-to-peer (P2P) software. ProxySG appliances can also provide bandwidth control, URL filtering, and content security management by removing or replacing certain types of content. Because ProxySG appliances block access to URLs of known spyware distribution sites, even if spyware somehow makes it into your network, it won't be able to "phone home," thereby rendering it useless.
Finjan Software describes Internet 1Box as a behavior-blocking appliance that isn't dependent on signature databases, which means that it can protect your network from known and unknown types of intrusion without the need for constant updates. Internet 1Box provides a firewall, virus protection, URL filtering, spam protection, and spyware protection. The appliance can also protect remote clients.
Fortinet's FortiGate Antivirus Firewall series appliances offer network-based spyware protection, virus protection, intrusion detection and prevention, VPNs, and traffic-shaping capabilities for small offices/home offices (SOHOs), small-to-midsized businesses (SMBs), and enterprises. Fortinet's FortiClient works at the desktop level to offer similar protection.
Depending on your particular network design and needs, SonicWALL provides several different appliances in its PRO series. The appliances provide firewalls, intrusion prevention, virus protection, and spyware protection.
The Symantec Network Security 7100 Series appliances can protect against spyware, viruses, worms, and Trojan horses. An appealing feature is that the appliances include Symantec DeepInsight Early Warning System, which can alert you to potential security threats before they actually reach your particular network. The warning system uses input from a network of sensors to identify new potential threats in near real time.
Regardless of which type of solution you prefer, you need to obtain evaluation copies of your top choices and put them through rigorous tests to see how they perform in your particular network environment. If you evaluate software-based solutions, check to see how they affect system performance because some solutions can be more demanding on system resources than others. Similarly, don't forget to check network performance if you select gateway-based or appliance-based solutions.
Another consideration is your ability to control and configure spyware definitions. Some useful applications might mistakenly become classified as spyware due to components or functionality included with those applications. So consider whether you need a solution that lets you remove or override specific spyware definitions when those definitions conflict with your chosen applications.
When you browse through the solutions in Table 1, keep in mind that Microsoft recently purchased GIANT Company Software, which made what is considered by some to be one of the best antispyware solutions available. Microsoft recently renamed the product to Microsoft Windows AntiSpyware, which is now in beta testing. At the time this article was written, there wasn't an enterprise-enabled version of the solution, so it isn't listed in Table 1.
However, Microsoft intends to eventually release an enterprise-enabled version of the product and keep the standalone desktop version free. So, remember to check into the enterprise version if you're interested in testing it on your network. You need Windows 2000 or later to use the Microsoft solution.
An interesting sidenote is that Sunbelt's CounterSpy is based on GIANT's technology. Since Microsoft purchased GIANT after Sunbelt had already entered into an agreement with GIANT, Microsoft is obligated to provide spyware signature updates for CounterSpy until June 2007. After that point, Sunbelt will manage its own signature creation and distribution process.
A Fast-Growing Market
The antispyware market is growing fast. By understanding how spyware works and how the different types of antispyware solutions detect spyware, you'll be able to determine which type best fits your needs. You can then use Table 1 to help find the vendors that currently provide the type of antispyware solution you want.
