This article can also be found in the Premium Editorial Download "Information Security magazine: Identity crisis solved: Tips from a top identity management expert."
Download it now to read this article plus other related content.
|Zeroing in on price|
Companies participating in our review submitted the following prices for their products.
eTrust PestPatrol Anti-Spyware 8.0
$24.80 per seat for 500-749 users for product and subscription.
Desktop Anti-Spyware 1.2
$6,250 for 500 users
Ad-Aware SE Enterprise 1.7
$31.25 per user for 10-25 users
AntiSpyware Enterprise 8.5
$11.60 per user; $4.96 per user subscription for 501-1,000 users
Enterprise Threat Shield. 3.0
$11.40 per user; $13.97 per user subscription for 500 users
Anti-Spyware Enterprise Edition 3.0
$11.55 per user; $3.47 per user subscription for 501-1,000 users
Spy Sweeper Enterprise 2.5
$8,790 for 500 users
Real-Time Detection Techniques
We were surprised by the significant variation in methods used for real-time detection. While each of the products permit an administrator to launch or schedule scans, there are significant differences in the methodology.
CA monitors the launch of executable code and blocks the execution of software that matches known signatures. Trend Micro focuses on the file system, monitoring file writes against known signatures; this is useful in detecting copy actions but not for the execution of code that sneaks onto the file system through something like an ADS. Webroot focuses its efforts toward on-demand scans in lieu of real-time protection and creates, in essence, a scheduled on-demand scan of memory for spyware signatures every five minutes.
eSoft and Lavasoft use on-demand scans as their sole detection method in their default configuration--a major limitation. eSoft depends on an administrator to activate real-time protection. When activated, eSoft's real-time de-fenses work much like the file system protections of Trend Micro. With no enterprise control of its real-time defenses, Lavasoft depends on users activating real-time protection, which focuses on behavior-based detection (particularly changes to the registry). McAfee and SurfControl use a blended approach that detects both file system activity and executables at launch.
Room to Improve
McAfee was a clear leader across the board, with solid enterprise management, strong detection and resistance to attack.
CA, SurfControl and Webroot were next. CA's strength lies chiefly in its relatively strong enterprise abilities, and SurfControl demonstrates reliable real-time detection mechanisms. Webroot's enterprise capabilities were just OK; its detection was below average. Very close behind were eSoft, which was OK across the board, and Trend Micro, with average detection and somewhat disappointing management capabilities. Lavasoft, which offers a fine consumer-grade product, did not score well with its enterprise version.
Overall, the antispyware industry is far less mature than its antivirus counterpart. Most AV vendors have comprehensive detection capabilities, based largely on a combination of real-time and on-demand scan techniques. They often differentiate themselves based on user interface, software bundling, support and speed of signature releases. In the antispyware industry, on the other hand, there are major differences in each vendor's detection mechanisms (particularly behavior-based and real-time detection) and enterprise- wide management.
While enterprise antispyware tools can help cut the onslaught of help desk calls, clearly most still have a long way to go.
This was first published in May 2006