CounterSpy Enterprise is a recent entrant in the battle
against spyware. It provides a solid defense of your corporate network with
powerful tools such as policy-based group management, remote agent
installation, and scheduled scanning. Let’s take a look at some of the features
and configuration options CounterSpy Enterprise includes.

Configuring database updates

Updating the spyware definition files is among the most
important tasks you’ll perform in the fight against spyware. You can deploy the
client agent to every machine on the network, configure stringent policies, and
perform spyware scans twice a day, but none of this will defend against a brand
new spyware application. The only way to prevent a new strain of spyware from
invading your network is to regularly update the spyware definition database. The
CounterSpy Enterprise interface makes the update process easy.

Managing the frequency of client and database updates is one
of CounterSpy’s system configuration options. To work with these settings, expand
the System list and click Updates, as shown in Figure A.

Figure A

 

The Updates screen lets you specify how often CounterSpy should
check for new updates to the client Agents and to the spyware definition, or
threat, database. Because your defenses are only as good as the software you’ve
deployed, you should consider checking for updates
every two or three hours. The inquiries and subsequent downloads are relatively
small and shouldn’t put a strain on your network. Even if you elect to check
for updates less frequently, you should, at a minimum, check for threat
database updates at least twice per day.

The System Configuration screen contains optional settings for
configuring how CounterSpy Enterprise communicates with Sunbelt Software to obtain
updates. As Figure B shows, this
screen consists of two sections.

The Proxy Server Settings section allows you to configure
the Address and Port settings to use when communicating with Sunbelt Software.
The Email Server Settings section provides various e-mail configuration options
that CounterSpy will use to notify you about spyware/adware that is detected on
your network.

Figure B

 

Working with policies

The strength of any centrally managed product is the ability
for administrators to easily configure and manage clients. CounterSpy Enterprise excels in this
regard by simplifying configuration of group policies for maximum control and
flexibility.

The CounterSpy Enterprise Admin
Console provides an easy-to-use policy configuration interface. The Policies
folder expands to list all of the group policies that have been created. To
work with a policy configuration, simply highlight the policy to display the
available options, as shown in Figure C.

Figure C

 

The toolbar at the top of the screen lets you force a scan
on a single machine or all of the machines assigned to the policy. You can also
manage the machines in the policy using the Add, Remove, and Reassign buttons.

The middle portion of the policy configuration screen lists
all the machines assigned to the policy. The Last Scan column provides the date
and time each machine was last scanned for spyware. The Defs Version and Agent Version
columns display the client version that’s installed on each workstation.
Occasionally reviewing this information can help you make sure each machine is
being scanned regularly with the latest agent software and spyware definition
database information.

The Schedule tab provides a variety of options for both a
quick scan and a deep scan of the machines assigned to this policy. You can
enable either or both types of scans. You can also schedule the start time,
days of the week, and run frequency of the scan. The CounterSpy client Agent runs
as a background process that doesn’t affect workstation performance. You should
consider running a quick scan at least once per day and a deep scan once a
week. If the workstations have heavy Internet use, you should consider
scheduling more frequent scans.

The policy configuration window also allows you to configure
what gets scanned during a quick or deep scan. As Figure D shows, you can select from these options:

  • Scan Known
    Locations
  • Scan Cookies
  • Scan
    Memory And Running Processes
  • Thorough
    Scan

You should probably select all of these options for the deep
scan, and possibly select Scan Known Locations and Scan Memory And Running Processes for the quick scan. The selections you
make should be based on the amount of Internet use the machines encounter. For
heavy use, you might consider selecting all of the options for both types of
scans or possibly selecting Thorough Scan during a quick scan.

Figure D

 

The CounterSpy threat database
contains all the known spyware that the software looks for when it scans a
workstation. However, just because a program is listed in this database doesn’t
mean that it isn’t legitimate software. For example, the DameWare remote
control tool could potentially be used for spyware-type purposes. That doesnï¿?t
mean that it shouldnï¿?t be installedï¿?it’s a popular and useful tool for network
administrators. In this case, you wouldn’t want CounterSpy to remove the
program from certain machines when it performs the system scan.

The Allowed Threats tab, shown in Figure E, lets you allow
certain programs to be installed on the workstations that are assigned to the
policy. This prevents CounterSpy from removing them. It also enables you to
customize the policy for the person who is using the workstation. For example,
you’d want only network administrators to have the DameWare remote control
tool. The Allowed Threats tab gives you the flexibility of allowing certain
users to have the program, while preventing others from installing it.

Figure E

 

The Notifications tab, shown in Figure F, allows you to specify who is notified of certain types of
warnings generated by CounterSpy. For example, you could configure CounterSpy
to notify you of all the threats found during a system scan or just the very
critical ones. These notifications provide you with information about the threats
that were found on the network.

Figure F

 

As you can see in Figure
G
, the Agent tab provides several options for configuring the CounterSpy Agent
software on the client workstations. You can display the CounterSpy taskbar
icon and elect to update the threats database or Agent software whenever
updates are available. You can also manually force an update of the threats
database or Agent software for all workstations assigned to the policy, and you
can change the reboot message per policy.

Figure G

 

The Action tab, shown in Figure H, enables you to specify the type of action taken for
certain types of spyware. For example, you could elect to quarantine programs
deemed to be adware or delete spyware considered to be an AOL Exploit.
Generally speaking, the default settings are appropriate for most environments.
However, each network and environment is different, so you may need to
fine-tune the actions to meet the needs of your organization.

Figure H

 

Management tasks

CounterSpy provides many configuration
options that allow you to manage agents, quarantined threats, and all spyware-related
threats. These features give you even more centralized control over how spyware
is handled on the network workstations.

Figure I shows
the screen that appears when you choose Agents under Management in the
CounterSpy interface. This screen provides information about the Agents that
are deployed on the network. You can check the status of the Agent software,
determine when the last scan was performed, and verify the threat database and Agent
version. In addition, you can assign a policy to the Agent. Although you can handle
these tasks in other places within the CounterSpy application, it’s much easier
to view all of the Agents in one location, rather than having to view them
within each policy.

Figure I

 

The Quarantine and Threats management options are similar. The
Quarantine screen provides information about spyware that was found by client Agents.
The Threats screen, shown in Figure J,
provides a list of all the threats in the database. You can use this
information to determine the name of the program, the organization that produced
the application, and the threat level of the spyware.

Figure J

 

Wrap-up

The easy-to-use interface and powerful tools available in
CounterSpy Enterprise make it an appealing choice for spyware defense. The
centralized management features simplify the job of configuring and managing
client Agents, updating the threat database, and leveraging other CounterSpy Enterprise
options for effective protection and flexibility.

Most enterprise anti-spyware tools on the market were adapted
from stand-alone products rather than designed specifically for an enterprise
situation. CounterSpy Enterprise
benefits from being designed from the ground up as an enterprise tool. It’s one
of the more comprehensive anti-spyware programs available and should provide a
solid defense against spyware for virtually any size organization.