Counter-spies on the LAN
- — 05 October, 2004 14:21
In days past, help desks trotted out their anti-virus kits when asked to minister to sickly PCs. But today they must also bring to bear an array of anti-spyware tools. Spyware -- with its adjunct, adware -- is fast becoming the No. 1 problem among Internet-connected computers, more so than viruses or hack attempts.
Often, these burdensome programs do more than monitor users' Web-surfing activities or inject unwanted advertisements. They also try to steal passwords, intercept information entered into online forms, and make changes to Internet and network settings, to the point that a computer can choke on all of the excess clutter and might fail to work correctly at all.
Spyware can share some qualities with Trojan horse programs, and that's where the traditional anti-virus vendors claim to protect against them. For the most part, however, these intruders are able to sneak their traffic right by firewalls and anti-virus programs, rendering traditional security practices useless against them.
A number of companies market products designed to specifically target spyware and adware, but most are designed for home desktops. Computer Associates International's eTrust PestPatrol Corporate Edition and Tenebril's SpyCatcher Enterprise are two network-ready solutions for eliminating spyware from enterprise environments.
I evaluated both programs based on enterprise features: their capability of detecting, removing, and preventing spyware and adware; reporting and logging; and day-to-day maintenance. Each proved to be a capable performer, but for overall detection and removal, PestPatrol bested SpyCatcher on all test clients.
eTrustPestPatrol Corporate Edition 5.0
CA recently acquired PestPatrol and added its product to CA's overall enterprise protection strategy, known as eTrust Threat Management. The Corporate Edition adds centralized client and update management with an intuitive GUI and a straightforward approach to spyware and adware protection.
I installed PestPatrol Corporate on a Compaq DL-380 server running Windows 2003 Server. After installation, I launched the management console and was able to begin browsing through the various domains and computers I have in my test facility.
I was impressed by how well the PestPatrol console identified my network setup. But it did its job a little too well: It also listed some computers that are no longer active in the domain, and there is no way to remove a computer from PestPatrol's list. This cluttered the display but otherwise did not affect the product's performance.
Client installation is done using a "push" from the console for Windows 2000 and newer PCs. The administrator simply chooses the desired machine and clicks the Scan Now button. If the client is already installed, then the scan starts immediately. If it is not, the client installs silently without any visible traces -- no client or application group is created, and there's no application for the end-user to run.
This feature worked well, as long as the user logged in to the server running PestPatrol Corporate's console had administrative rights on the client PC. Otherwise, the client install would fail. To work around this -- for Windows 95 and 98 PCs or to deploy the client through an existing software distribution system -- a command line installation option is available that can be easily run using log-in scripts.
All client-related functions -- enabling real-time protection, updating the client engine, and setting up what to do when a threat is detected -- are easily accessed from the console. Administrators can choose to log, delete, or quarantine any detected pests during an interactive or scheduled scan. They can also specify what they want to scan, be it memory, cookies, the Registry, common malware locations, hard drives, or a specific path.
An exclusion file is also available to give admins the ability to ignore specific items, such as remote administration utilities or authorized security programs, during a scan. For example, I added UltraVNC, a remote access tool, to my exclusion list to eliminate it from detection. But you cannot add new applications to PestPatrol's database as you can with SpyCatcher. Thus, PestPatrol won't help you spot suspicious files or non-line-of-business programs.
PestPatrol Corporate did an excellent job of detecting pests on my test clients. On one system, PestPatrol detected 25 spyware programs; SpyCatcher detected only 14. Anti-spyware programs often vary in the number of cookies they identify as spyware, so I told both programs to ignore cookies for the purpose of my test.
At rest, PestPatrol uses only 7MB of memory, but during a scan operation, its usage grew to about 34MB, and it used nearly 100 percent of CPU time. Unlike SpyCatcher, PestPatrol will not let you set the maximum client CPU usage, meaning clients all but grind to a halt during scanning.
I found it easy to manage detected programs through the PestPatrol console. When I selected a computer from my domain, the list of detected pests was retrieved from the client and displayed in a table. With a simple right-click, I could delete the pest or remove it from quarantine. It would have been nice to be able to add items to my exclusion list from this view, but that feature wasn't available.
PestPatrol Corporate downloads database updates to the central console machine and then distributes them to each client either manually or on a schedule; SpyCatcher forces each client to download the update separately via the Internet. PestPatrol's updates can sometimes be large, so having the console perform a single download saves Internet bandwidth.
On the downside, PestPatrol's reporting lacks a certain robustness, with less extensive facilities than those found in SpyCatcher. The management console does create, however, a text-based report of pests, showing workstation name, date, time, detected program name and category, and the action taken. There is no advanced logging in PestPatrol, such as to a Syslog server, but the software can e-mail a specific administrator when spyware is detected.
Overall, eTrust PestPatrol Corporate Edition did an excellent job of detecting and removing adware and spyware from our systems. The management console is easy to navigate, and there is enough flexibility in how and what to scan to fit most situations. My main gripe is that I would like to see more robust logging and reporting, such as to a Syslog or other external system.
SpyCatcher 3.0 Enterprise
SpyCatcher Enterprise takes an approach similar to PestPatrol Corporate, creating a central point of administration for clients. The management console is lean yet usable, offering flexible control of what malware to keep an eye on and what to ignore.
Installation of SpyCatcher Enterprise went smoothly with no surprises on my Compaq ML-530 rack-mount server running Windows 2003 Server. Client software is installed via Windows .MSI installation packages, which can be distributed through a shared folder or a software distribution system. Unfortunately, you cannot handle console-to-client management in real time, making immediate client changes and updates impossible. Clients seem to check in to the management console for updates about once per hour.
At the end of the console installation, a wizard stepped me through the process of defining the communication method between the console and the client application. The three choices were direct network connection, use of an intermediary FTP server for inbound and outbound data, and use of a shared folder on a network drive to act as the intermediary. I chose to use the direct network option, because all of my PCs could communicate directly with the SpyCatcher console. Most enterprises will want to use this method, if possible, because it provides the best overall performance.
The wizard also allows administrators to secure the client-side application with a password or to hide the system tray icon completely. Unlike PestPatrol Corporate, SpyCatcher installs a client application that an end-user can run at will unless administrators explicitly prevent it with a global setting.
By default, SpyCatcher merely logs detected adware or spyware, but administrators can also set it to automatically disable all malware upon detection. In the event of false positives, SpyCatcher can save recovery information on the client PC so that any deleted files can be restored. One feature not found in PestPatrol, SpyCatcher can "scrub" deleted files to prevent undeletion by overwriting them using a Department of Defense-style algorithm.
SpyCatcher lets administrators keep an eye on particularly troublesome clients by adding them to its Watch List. This is a great way to quickly and easily monitor specific clients for new or continuing spyware infections. Unfortunately, SpyCatcher will not allow you to disable any software from the Watch List screen; you must go to another page. Nonetheless, I found it easy to disable programs from the Detected Spyware page -- simply select the item and click the Disable button.
Administrators can decide what types of spyware to scan for by choosing any of SpyCatcher's predefined groups, such as "Backdoor Targets" or "Malicious ActiveX Components." But as in PestPatrol, you cannot create new group listings of your own.
SpyCatcher admins can exclude groups of pests from detection but cannot exclude a single pest as can PestPatrol can. Unlike PestPatrol, SpyCatcher allows admins to add suspicious or non-line-of-business files to the scanning database, which lets even non-spyware programs and files be detected and disabled. For example, if users are constantly playing Solitaire, administrators can add SOL.EXE as a custom fingerprint to the scanning database to disable it from all clients.
SpyCatcher did an adequate job of locating and disabling malware on our test systems. As did PestPatrol, it found all of the major spyware applications, but PestPatrol seemed to be able to locate a few more support files.
I liked that I could set how much CPU time SpyCatcher would use during a client scan, something PestPatrol wouldn't let me do. By throttling back CPU usage, I was able to run a scan on a client while it was in use without adversely impacting overall performance. On the downside, SpyCatcher was a bit of a memory hog. The two services installed on the client computer used roughly 34 MB of RAM, even when not running a scan.
Unlike PestPatrol, each SpyCatcher client is responsible for downloading its own updates from Tenebril, instead of using a single distributed download. Tenebril notes that the updates are small, usually only a few kilobytes, but multiply that by a hundred users, and precious bandwidth quickly starts to shrink. Clients check for updates on a predefined schedule or interactively from the management console.
SpyCatcher's reporting features are better than PestPatrol's, but not by much. In addition to text-formatted reports, SpyCatcher can save to CSV (comma separated values) files and in a form ready to import into SQL, although the latter takes some effort to set up. Administrators can have reports e-mailed to them using the same formats, or SpyCatcher will simply save them to disk. Reports can also be set to run on a variety of schedules.
Tenebril has the makings of a solid performer in SpyCatcher Enterprise. I like that it allows custom database definitions and that it can hide the client engine. Plus, the CPU throttle is a nice feature. If it had a better way to exclude specific entries and centralized database updating, it would be a real winner.
Still, a couple of rough edges should not keep anyone from considering this product. In my tests, PestPatrol emerged ahead by a nose due to its slightly more comprehensive results, but both solutions proved to be effective tools for keeping spyware and adware off enterprise networks.