An increasing threat to business productivity, the prying eyes of spyware can expose crucial information about your enterprise or customers to the outside world. Spyware not only slows down your computer, it sends personal information to strangers without your knowledge or consent. Whereas viruses and worms infect or corrupt a single file and are relatively easy to detect and remove, spyware is much more insidious, often actually installing programs without your knowledge. Spyware is a master of disguise, masquerading as an innocuous Microsoft Outlook helper bar that lets you add emoticons, for example, while in the background monitoring your email. The information that spyware collects varies from the content of files stored on your computer, to your email contacts, to URLs for the Web sites you visit. Spyware might actually record your keystrokes, take screen shots of your computer session, redirect your Web browser to unwanted sites, or corrupt your computer.
Many security software vendors offer products to detect and eliminate spyware. In this article, I compare three standalone enterprise antispyware products and look at some of the features that you should consider before choosing a product for your business. (If you're considering combining bundled and standalone products, see the sidebar "A Drawback to Bundles" for information about a common downside to this approach.)
Testing the Products
The products in this review detect and remove only spyware—not viruses—so you aren't required to purchase a particular antivirus package to run with any of these products. Standalone products offer a stronger, more effective package than an integrated solution does because they focus solely on detecting spyware instead of trying to solve multiple problems. I've found several antivirus software vendors who claim to detect some versions of spyware with their antivirus engine, but in my experience they fall short of the standalone products.
Antispyware effectiveness depends upon the robustness of the detection engine and the accuracy and timeliness of the updates—not just for detecting new spyware but also for eliminating false positives from earlier updates. Your antispyware product should let you schedule automatic downloads of new signatures. Most companies—including those in this review—provide new signatures through a subscription service that's included in the annual maintenance fee.
I reviewed Sunbelt Software's Counter-Spy Enterprise, Trend Micro Anti-Spyware Enterprise Edition, and Webroot Spy Sweeper Enterprise. Targeted at midsized-to-large businesses with more than 50 seats, these products include enterprise features such as centralized configuration, remote client deployment and management, and reporting and alerting. (See Table 1 for a comparison of the products' key features.)
For this review, I compared product usability and effectiveness at finding and removing spyware. My tests included using the products to deploy agents, scan remote clients, and remove all found threats.
My test system was a computer running Windows XP Service Pack 2 (SP2) with all security patches installed. I loaded the system with all sorts of spyware and adware, including dialers, hijackers, and system monitors, such as keystroke loggers. The spyware I tested included abcsearch4u, 550Access toolbar, Track4Win, pinfo dialer, FindWhateverNow, CoolWeb search, Chat Blocker, Activity Monitor 2002, SpyBuddy, DialerClub, and Mysearchpage.
From each antispyware product's centralized console, I scanned the infected client to see how well the product detected and cleaned the infested system. After the initial scan, I rebooted the infected system and used the same product to scan again.
All three products disabled all spyware on the test system. Spy Sweeper detected and silently removed all infections. Counter-Spy's real-time protection lit up the console like a Christmas tree after the reboot, catching multiple attempts to reinfect. The Trend Micro product's prompt message told me to restart the client to fully clean it, hinting at Anti-Spyware Enterprise's ability to clean locked files. Although only Trend Micro's product actually prompted me to reboot, every product required several reboots and scans to fully clean the system.
CounterSpy Enterprise
Sunbelt Software's CounterSpy Enterprise provides centralized spyware scanning and real-time protection at a low price. Everything you need to manage your agents, policies, quarantine, and reports is just a few clicks away from the main screen. The Win32-based console is easy to use, but it seems geared to managing small numbers of clients and lacks some features that I expect in enterprise-class products. For example, only one user at a time can access the console through Terminal Services. And if you connect two consoles to one server, changes made at one console might not be reflected in the other.
CounterSpy manages remote agent behavior through customizable policies. You can create one or many policies and assign different agents to those policies to suit your needs. For example, you can choose more frequent scans for high-use workstations and specify a "quick" scanning policy that won't affect performance for your servers. One nice feature of CounterSpy is that it lets you choose between two types of scans, dubbed "quick" and "deep" scans. You can customize the parameters of each type of scan, such as the depth of folders to search, whether to check processes for spyware, whether to look for tracking cookies, and whether to check the registry for evidence of spyware, as well as which drives to scan.
CounterSpy shows you the many threats it can detect and groups them into more than 40 categories, such as adware, browser hijacker, dialer, and key logger. The threat database is easily accessible from the administrative console, letting you quickly research threats. The console includes a link to the CounterSpy research center, which details the threat type, description, and advice on how to handle the threat. In addition to using Sunbelt's own team of spyware researchers and a community-driven spyware threat notification network, CounterSpy shares spyware definitions with Microsoft Windows Defender (formerly Microsoft Windows AntiSpyware beta). In your policies, you can create a whitelist of acceptable, low-risk threats to your network that you deem benign or useful, such as advertising cookies that help deliver targeted, interesting ads. A standout feature of the CounterSpy UI is its data sorting and grouping, which is especially useful when viewing a lot of data, such as the threat list. Being able to categorize all threats really helps.
Like the other products in this review, CounterSpy requires that you deploy an agent on every client computer. You can choose which computers to monitor by using Active Directory (AD), browsing the network, or specifying machine names or IP addresses, then install the software using the automated push-pull installation. Alternatively, you can deploy the agents using a custom package that you install on clients manually or by using Group Policy, logon scripts, or a third-party package-deployment product.
You can also permit end-user–initiated scans, log data locally, specify whether to hide the agent taskbar icon, and determine whether and how frequently the agent should update its threat definitions and software. After installation, the agent displays a minimalist UI. When enabled, the task icon shows whether CounterSpy is currently scanning or idle. Right-clicking the icon lets you initiate a scan and reset choices you might have made in the product's Active Protection.
Previous
