Test: Enterprise-level anti-spyware software

Like  and other harmful programs,  is a huge  problem. Worse than a typical virus, a spyware program can send corporate data directly from your company's client computers to an Internet-based data collection facility, such as a shady adware site or other group of bad guys.

The perfect anti-spyware tool detects all spyware, identifies all the files and registry entries associated with the spyware, and safely removes all its traces, remnants and residue. In a corporation, the ideal tool also offers a central console through which network administrators easily can disinfect client computers. The ideal tool is simple to install and deploy, and conveniently updates its own spyware signature list. Status displays and reports give you a quick and accurate picture of how badly spyware is harming your company. A good tool also will be able to detect and remove Trojans, dialers, malware and browser hijackers (see graphic, below).

Webroot's Spy Sweeper Enterprise proved itself the best anti-spyware tool in our tests, winning a Clear Choice Award. It contained the most spyware definitions, gave us excellent control over its client agents from a central console, ran quickly and unobtrusively, had an intuitive user interface, and displayed useful reports of its activity.

Find and remove

Spy Sweeper Enterprise is said to thwart about 35,575 spyware programs; Omniquad AntiSpy Enterprise contains about 10,000 spyware definitions; and SpySubtract Pro has about 31,124. The freeware SpyBot Search & Destroy contained more than 10,000. Auditing each vendor's list with a sampling technique verified the authenticity and validity of each vendor's spyware definitions.

All four products automatically update their definitions by accessing vendor master lists via the Internet. Spy Sweeper Enterprise updates generally occur weekly, Omniquad AntiSpy Enterprise updates occur every three days (sometimes more frequently) and SpySubtract Pro updates occur every one to two weeks. All four accurately detected and disposed of the 20 examples of miscreant spyware we introduced into our test network (see ).

Spy Sweeper Enterprise includes four server components - an administration console, enterprise database, update server and client server.

The administration console is the user interface for configuring clients, managing spyware definition updates, establishing alerts and notifications, viewing reports and remotely directing client spyware scans, including running an immediate spyware scan on a specific remote client or group of clients.

The enterprise database component stores configuration settings and scan results. The update server automatically obtains the latest spyware definitions from the vendor on the scheduled weekly basis, or an administrator can tell Spy Sweeper Enterprise to retrieve definitions on demand.

The client server module sends configuration settings and definition updates to the clients, and receives the scan results from those clients. On each client, Spy Sweeper Enterprise's client agent scans for spyware - periodically or on demand.

When spyware is detected (either incoming or pre-existing), the client disables and quarantines the spyware. It then sends an alert to the client server, which records the event in the database and tells the administration console to notify a network administrator. Because Spy Sweeper Enterprise consumes little bandwidth and because you can spread its workload across multiple servers, we found it scales extremely well. Each scan took only about 4 minutes and consumed few resources as it ran unobtrusively in the background on each client.

FreezeX ices executables If your company prohibits the installation of any software on a client once that client has been configured, Faronics’ FreezeX ($25 plus $45.60 for each client) might be of interest to you. At installation, FreezeX notes which computer programs are already on a computer and deems them “authorized.” Thereafter, FreezeX denies any attempt to install or run unauthorized computer programs, whether via removable media or the network. Faronics says FreezeX intercepts more than 80 types of executables, including .scr, .sys and .dll files. We found FreezeX to be a reliable, no-nonsense watchguard against BHOs and every other type of executable we tried to install. You can even use it as a de facto license manager. Its Silent Install option for quickly and painlessly deploying FreezeX remotely across a network works well.
Five common types of spyware Category Typical action Keyboard logger: (aka trackware) Captures keystrokes (including personal information and passwords) or tracks Web sites you visit. Trojan: Enables remote control of your computer by a hacker, often for distributed DoS attacks. Droneware: Sends spam or hosts offensive Web images. Dialer: Auto-dials area code 900 or expensive long-distance calls via your modem. Adware: Pops up advertisement-laden browser windows.
N North Korea	Not-so-fun spyware facts:
•Some spyware sends captured data to North Korean intelligence agency servers. The North Korean government analyzes what it captures, sells the data to criminals and organizes international distributed DoS attacks. South Korea’s defense ministry recently said that North Korea has trained more than 500 computer hackers to wage cyber- warfare against the U.S. (www. nwfusion.com, DocFinder: 5030). The ministry reported that North Korean militant hackers, who have undergone a five-year university course geared toward penetrating the computer systems of the U.S., South Korea and Japan, are among the best in the world. • Want to see Web sites that promote the use of spyware for advertising? Head to www.stop-popup-ads-now.com or www.abetterinternet.com. If you visit these sites, please first maximize your browser security level, do not click on any of the links you see and examine your system afterward for possible spyware infection.