Security

Ways to centralize your anti-spyware defense

Spyware has become more of an annoyance than viruses are. Centralized antivirus solutions exist, but you're left with many stand-alone anti-spyware choices. Here are some of the best ways to centralize your anti-spyware defenses.

Depending on your network environment, it's probable that spyware has become a bigger problem for your organization than viruses. There are a lot of reasons that this could be so. First, more and more people use the web every day, and many don't take basic precautions such as reading before clicking "I agree" to an onerous license for a web download. Second, since viruses have been recognized for many years as a serious problem, most companies have taken the appropriate step of installing antivirus software on all computers, often tied back to a centralized distribution and management system.

In my situation, I'm the IT Director for a small college with students that bring anything and everything to campus, including, in the past, a multitude of viruses. As such, we've installed Symantec Antivirus which is distributed to students from a central location. Through this central distribution center, we can make sure that antivirus software is installed the way we want for best protection, and that updates are regularly applied.

Now, spyware rears its ugly head. With its deliberate system-debilitating properties, spyware can be more of a productivity stopper than viruses ever have been. While there have been a number of spyware solutions, including SpyBot and AdAware, available for quite some time, many of the original spyware-busting applications lacked centralized distribution and update capabilities. Some of the solutions available now, however, solve one or both of these dilemmas.

Software solutions

Software solutions provide a traditional means by which to detect and eradicate nefarious spyware. Centralized anti-spyware solutions work basically as you would expect. Generally, the software includes a server component from which anti-spyware client software is pushed to each organization's desktop. Further, there is usually some kind of administrative console from which you can easily and centrally configure clients and run reports.

I'll provide a view into some potential solutions for the rest of this section. This is by no means intended to be a comprehensive guide to every product available. Instead, I will go over a couple of solutions in the software space and a couple hardware solutions that you might consider.

Sunbelt CounterSpy Enterprise

With client support for all versions of Windows back to Windows 98 Second Edition, Sunbelt's CounterSpy Enterprise has the features that you'd likely want in a centralized anti-spyware installation. Among its features is the ability to deploy client software in a number of different ways both completely and automatically.

The currently shipping version of the CounterSpy client uses Microsoft's (formerly Giant's) AntiSpyware engine. However, Sunbelt does not use the same scoring values that Microsoft's tool does, so, even though they share the same engine and definitions, each product rates spyware a little differently. This sharing agreement is only in place until July of 2007, so look for Sunbelt to switch engines and definitions in the next release.

CounterSpy Enterprise provides a number of reports to help you identify where you are most vulnerable and to, perhaps, mitigate problems in other ways. One report, an executive summary, provides a quick view of how many desktops have infestations, shows you the top ten pieces of spyware found, as well as the severity level of the various infestations and most infested machines on your network. Further, it breaks down the threats by categories such as "Adware", "cookie", "toolbar" and so on.

CounterSpy Enterprise also easily (and affordably!) protects Citrix and Terminal Server installation. According to Sunbelt, the company charges you for just a single agent for the entire server, even if a number of users with Windows terminals connect. For mobile users, CounterSpy allows them to be away from the management server for a period of time before they have to update their spyware definitions. Of course, you can always configure these machines to update over a VPN connection as well, so the window of updates can be pretty short.

Speaking of price, CounterSpy Enterprise runs between $10 and $24 per seat. CounterSpy also comes bundled for consumers, without a server component, and costs about $20 per seat when used in this configuration.

For more information about Sunbelt's CounterSpy Enterprise, visit http://www.sunbeltsoftware.com/CounterSpyEnterprise.cfm.

Webroot Spy Sweeper Enterprise

Like CounterSpy Enterprise, Spy Sweeper Enterprise, as its name suggests, is an enterprise-level product with automatic deployment capabilities, a central management console, and reporting. Spy Sweeper Enterprise also includes the ability to keep mobile clients current by connecting them to webroot's update servers when these clients can't be easily connected to the corporate Spy Sweeper server. As with virus definitions, keeping your spyware definition file current is critical to successfully combating this problem.

On the client side, Spy Sweeper supports Windows versions back to Windows 98. The server, however, needs to be an operating system in the NT family-one of NT 4.0 SP5+, 2000, XP or 2003. However, unlike CounterSpy, Spy Sweeper does not support Citrix and Terminal Services, although some reports indicate that it might work.

New (and old) kid on the block: Microsoft AntiSpyware

While it lacks centralized deployment and reporting features, I should mention Microsoft's foray into the anti-spyware market. In late 2004, Microsoft acquired Giant Corporation, a company that developed an impressive, real-time spyware scanner, akin to a real-time virus scanner in that it actively monitors system activity against a spyware signature database to make sure the system stays free and clear of spyware. While the product does not yet have a centralized deployment server, you can use Active Directory for the initial deployment. Even though it lacks central management capability Microsoft's version of this product, currently available in beta, does keep itself current with new spyware definitions and regularly checks for new versions of the product itself.

As for cost, Microsoft has committed to providing the product to legal Windows users at no additional charge. While some might say Microsoft owes it to their customers to provide this service because of the various flaws in Windows, it's actually a very good product.

Beyond just using a definition file, users of Microsoft's AntiSpyware can opt to join SpyNet, which helps the software more quickly detect programs that should be considered spyware. SpyNet is an opt-in program whereby users of the product help to determine what programs should and should not be considered spyware.

Microsoft's AntiSpyware runs on Windows 2000, XP and 2003. The current beta expires December 31, 2005. To download and install the software, visit Microsoft AntiSpyware web page.

Again, while Microsoft's product doesn't provide for centralized deployment, it does keep itself current once it's on your user's desktops, and you can't beat the price! Of course, without the centralized management capabilities found in other products, Microsoft's product is incapable of providing statistics reporting regarding infection, which can be useful if you're trying to track down a particular problem.

Look for this consumer-oriented product, however, to turn into a paid product with centralized management for the enterprise.

Hardware solutions

Like most things in IT, appliances have hit the spyware market. The appliance approach has the advantage that its only purpose in life is that for which it was designed—nothing more. Of course, regardless of whether you go with a software or a hardware solution, you probably want something full-featured, so I'll also go over a couple of appliance-based alternatives for the rest of this section.

Barracuda Spyware Firewall

Barracuda has done well with its spam firewall appliance and recently released another, similar-looking, appliance that helps organizations prevent spyware infestations. Dubbed the Spyware Firewall, Barracuda's device is installed inline between a LAN segment and the organization's firewall.

What this means is that the Barracuda solution does not require a client installation in order to function. This can be good, or bad, depending on your situation. At my college, I might use this as a second-level measure, but would also have a solution that requires a client to be installed on each PC. Why? I have a large mobile population that includes hundreds of student laptops and a couple dozen administrative laptops. I have complete control over the administrative systems, but no admin rights to the student laptops. Therefore, a two-phased approach is our best bet. Use (and require) the client for all campus systems and, for those student's that ignore our requests, they'll still be partially protected by the inline solution, at least when they're on campus. It's not perfect, but it's a solution.

The Barracuda device is priced based on the throughput you want to achieve as well as feature set. The 5Mbps unit (the 210), for example, does not include the ability to block malicious IMs. On the other side, the premier unit achieves 200Mbps of throughput and includes the entire enterprise feature set, including IM blocking, caching, syslog support and more.

The Barracuda 210 runs around $2,000 with Energizer Updates (definitions) running around $500 per year. The top-line 810 unit can run as much as $28,000 with Energizer Updates costing an additional few thousand dollars per year. The middle of the road Barracuda 410, which features up to 20Mbps of throughput and, with the exception of this slower speed and a smaller cache, includes all of the features of the 810, runs around $6,000 with Energizer Updates running a little under $1,500 per year.

For more information about Barracuda's foray into the anti-spyware market, visit http://www.barracudanetworks.com/ns/products/spyware_overview.php.

Tangent Packet Hawk 2.0

Tanget's Pack Hawk 2.0 is a relatively new product in the market, but includes enterprise level features, including centralized management and reporting, Quick Start assisted installation to get the device up and running quickly, and, like the Barracuda product, can protect against instant message spyware, pop ups, adware, and the general nasties that wreak havoc on your network. Packet Hawk can also help protect your desktops from problems related to removable media, too.

With prices ranging from $1,495 for up to 100 desktops ($495 per year for updated spyware definitions) up to just under $9,000 for up to 5,000 desktops (plus $2,995 per year for definition updates), the Tangent Packet Hawk is about in line with other products on the market. The company does make available a device that scans more than 5,000 desktops, too. For more information about the Packet Hawk, visit http://www.packethawk.com.

AntiVirus vendors

Not to miss out, antivirus software vendors have recently started to jump on the antispyware bandwagon by adding spyware scanning capabilities to their products. This year, major antivirus vendors, including Sophos, Symantec and McAfee, have updated, or are updating, their products to cope with the spyware threat, which has become a serious security problem for many companies.

If you're already running an enterprise antivirus product, check with your vendor to see what their plans are in the antispyware space. You may be able to save a lot of money by doing so.

What to look for

Now that you have seen a little of what is available on the market, what should you look for as you try to make the best decision for your organization? Here are a few tips to help you make the best choice:

  • Central administration: For an enterprise level product, this is a must as it would be prohibitive to manually install a client on thousands of desktops.
  • Regular updates: Like a virus scanner, a spyware scanner needs to be updated regularly with new definitions. Whether your clients are updated from a central server on your network, or from the vendor's servers, it doesn't matter as long as the clients are kept current.
  • No conflict of interests: Microsoft made news recently when it was revealed that their antispyware product has lowered the alert status for Claria, a purported adware provider. Whether or not this is fair is still up for debate, but try to choose a solution that is free from these kinds of conflicts of interests, when possible.
  • Antivirus and antispyware in one: If you already have antivirus software for your enterprise, consider contacting that vendor before you start a search for a separate antispyware solution.

Spyware is just going to get worse as we move forward in the Internet Age, so be prepared!

Editor's Picks

Free Newsletters, In your Inbox