Configuring database updates
Updating the spyware definition files is among the most important tasks you'll perform in the fight against spyware. You can deploy the client agent to every machine on the network, configure stringent policies, and perform spyware scans twice a day, but none of this will defend against a brand new spyware application. The only way to prevent a new strain of spyware from invading your network is to regularly update the spyware definition database. The CounterSpy Enterprise interface makes the update process easy.
Managing the frequency of client and database updates is one of CounterSpy's system configuration options. To work with these settings, expand the System list and click Updates, as shown in Figure A.
The Updates screen lets you specify how often CounterSpy should check for new updates to the client Agents and to the spyware definition, or threat, database. Because your defenses are only as good as the software you've deployed, you should consider checking for updates every two or three hours. The inquiries and subsequent downloads are relatively small and shouldn't put a strain on your network. Even if you elect to check for updates less frequently, you should, at a minimum, check for threat database updates at least twice per day.
The System Configuration screen contains optional settings for configuring how CounterSpy Enterprise communicates with Sunbelt Software to obtain updates. As Figure B shows, this screen consists of two sections.
The Proxy Server Settings section allows you to configure the Address and Port settings to use when communicating with Sunbelt Software. The Email Server Settings section provides various e-mail configuration options that CounterSpy will use to notify you about spyware/adware that is detected on your network.
Working with policies
The strength of any centrally managed product is the ability
for administrators to easily configure and manage clients. CounterSpy
The CounterSpy Enterprise Admin Console provides an easy-to-use policy configuration interface. The Policies folder expands to list all of the group policies that have been created. To work with a policy configuration, simply highlight the policy to display the available options, as shown in Figure C.
The toolbar at the top of the screen lets you force a scan on a single machine or all of the machines assigned to the policy. You can also manage the machines in the policy using the Add, Remove, and Reassign buttons.
The middle portion of the policy configuration screen lists all the machines assigned to the policy. The Last Scan column provides the date and time each machine was last scanned for spyware. The Defs Version and Agent Version columns display the client version that's installed on each workstation. Occasionally reviewing this information can help you make sure each machine is being scanned regularly with the latest agent software and spyware definition database information.
The Schedule tab provides a variety of options for both a quick scan and a deep scan of the machines assigned to this policy. You can enable either or both types of scans. You can also schedule the start time, days of the week, and run frequency of the scan. The CounterSpy client Agent runs as a background process that doesn't affect workstation performance. You should consider running a quick scan at least once per day and a deep scan once a week. If the workstations have heavy Internet use, you should consider scheduling more frequent scans.
The policy configuration window also allows you to configure what gets scanned during a quick or deep scan. As Figure D shows, you can select from these options:
- Scan Known Locations
- Scan Cookies
- Scan Memory And Running Processes
- Thorough Scan
You should probably select all of these options for the deep scan, and possibly select Scan Known Locations and Scan Memory And Running Processes for the quick scan. The selections you make should be based on the amount of Internet use the machines encounter. For heavy use, you might consider selecting all of the options for both types of scans or possibly selecting Thorough Scan during a quick scan.
The CounterSpy threat database contains all the known spyware that the software looks for when it scans a workstation. However, just because a program is listed in this database doesn't mean that it isn't legitimate software. For example, the DameWare remote control tool could potentially be used for spyware-type purposes. That doesnï¿?t mean that it shouldnï¿?t be installedï¿?it's a popular and useful tool for network administrators. In this case, you wouldn't want CounterSpy to remove the program from certain machines when it performs the system scan.
The Allowed Threats tab, shown in Figure E, lets you allow certain programs to be installed on the workstations that are assigned to the policy. This prevents CounterSpy from removing them. It also enables you to customize the policy for the person who is using the workstation. For example, you'd want only network administrators to have the DameWare remote control tool. The Allowed Threats tab gives you the flexibility of allowing certain users to have the program, while preventing others from installing it.
The Notifications tab, shown in Figure F, allows you to specify who is notified of certain types of warnings generated by CounterSpy. For example, you could configure CounterSpy to notify you of all the threats found during a system scan or just the very critical ones. These notifications provide you with information about the threats that were found on the network.
As you can see in Figure G, the Agent tab provides several options for configuring the CounterSpy Agent software on the client workstations. You can display the CounterSpy taskbar icon and elect to update the threats database or Agent software whenever updates are available. You can also manually force an update of the threats database or Agent software for all workstations assigned to the policy, and you can change the reboot message per policy.
The Action tab, shown in Figure H, enables you to specify the type of action taken for certain types of spyware. For example, you could elect to quarantine programs deemed to be adware or delete spyware considered to be an AOL Exploit. Generally speaking, the default settings are appropriate for most environments. However, each network and environment is different, so you may need to fine-tune the actions to meet the needs of your organization.
CounterSpy provides many configuration options that allow you to manage agents, quarantined threats, and all spyware-related threats. These features give you even more centralized control over how spyware is handled on the network workstations.
Figure I shows the screen that appears when you choose Agents under Management in the CounterSpy interface. This screen provides information about the Agents that are deployed on the network. You can check the status of the Agent software, determine when the last scan was performed, and verify the threat database and Agent version. In addition, you can assign a policy to the Agent. Although you can handle these tasks in other places within the CounterSpy application, it's much easier to view all of the Agents in one location, rather than having to view them within each policy.
The Quarantine and Threats management options are similar. The Quarantine screen provides information about spyware that was found by client Agents. The Threats screen, shown in Figure J, provides a list of all the threats in the database. You can use this information to determine the name of the program, the organization that produced the application, and the threat level of the spyware.
The easy-to-use interface and powerful tools available in CounterSpy Enterprise make it an appealing choice for spyware defense. The centralized management features simplify the job of configuring and managing client Agents, updating the threat database, and leveraging other CounterSpy Enterprise options for effective protection and flexibility.
Most enterprise anti-spyware tools on the market were adapted
from stand-alone products rather than designed specifically for an enterprise