This article can also be found in the Premium Editorial Download "Information Security magazine: Identity crisis solved: Tips from a top identity management expert."
Download it now to read this article plus other related content.
A closer look at this review
Information Security tested seven enterprise desktop antispyware products from CA, eSoft (licensed from Aluria Software), Lavasoft, McAfee, SurfControl, Trend Micro and Webroot to determine their management capabilities, behavior- and signature-based detection and resilience to attacks. (Shavlik Technologies, Sunbelt Software, Symantec and Tenebril declined to participate, all citing anticipated improvements in upcoming releases available after our test period.)
Our test bed consisted of a Windows 2000 management server controlling three Windows XP Pro workstation systems. We tested each product using 54 common spyware specimens, including keystroke loggers, pop-up ad generators and browser hijackers. Further, we created a custom suite of spyware applications, dubbed SPYCAR (available for download at www.intelguardians.com/spycar), to test behavior-based detection when no signature is available. For each product, we tested real-time protection during both copying and running spyware, as well as on-demand scanning of the complete system.
The ability to control antispyware tools across an enterprise is crucial. If a product can't be managed remotely and in large numbers, it just isn't useful to enterprises. We compared several aspects of enterprise management:
Policy definition and grouping. Each of the antispyware products allows administrators to define policies by setting scan schedules, specifying quarantine and delete options, and tweaking scan configurations. While such options are useful, the ability to apply policy to grouped systems is critical in large, growing deployments.
McAfee offers the most comprehensive policy configuration options, allowing fine-grained control over scan schedules, real-time alerting and user interface configuration, with different policies allowed for arbitrary groups of machines. These features are then coupled with an excellent framework for application through McAfee's bundled ePolicy Orchestrator. This powerful and intuitive interface allows admins to define policies for specific networks, domains, ad hoc groups and subgroups. Moving systems from one policy to another requires a simple drag and drop, and the object-oriented inheritance of policies by subgroups facilitates managing large deployments.
CA offers flexible policy definitions and grouping options. However, fewer scan options can be tailored with CA's eTrust Integrated Threat Management Console, which isn't nearly as intuitive as McAfee's and seemed significantly more sluggish. It was harder to determine if and when policies were actually applied to a given host.
While eSoft, SurfControl and Webroot support applying policies by group, no subgroup options are available, limiting their flexibility and appeal to large organizations. Trend Micro offers only a flat listing of machines, limiting its scalability beyond several hundred managed systems. Larger installations require Trend Micro's Control Manager.
Lavasoft's enterprise management abilities are extremely limited. The enterprise GUI allows admins only to define update intervals and schedule on-demand scans of either all enterprise systems at the same time or a single machine. The enterprise server can't group client machines, nor can it control any of the real-time detection mechanisms of the clients, which are off by default. Lavasoft's enterprise solution appears to be a simple GUI that has been stripped down to minimal protections by default and slapped on to its consumer product.
This was first published in May 2006