In-Depth

Ignorance of Spyware in the Enterprise Still High

What happens when an organization with spyware problems can’t install anti-spyware software on every system?

• By Mathew Schwartz
• 03/23/2005

What happens when an organization with spyware problems can’t install anti-spyware software on every one of its systems?

That was the problem faced by Florida-based Mercy Hospital network, the largest chain of hospitals in the United States. Of course, Mercy didn’t know there was a problem per se until it began rolling out Blink—real-time endpoint protection software from eEye Digital Security, based in Aliso Viejo, Calif. “What they realized was there were a couple of machines upstairs infected with spyware” trying to infect every other hospital machine, says Mike Puterbaugh, eEye’s senior director of product management.

While the problem was eventually traced to bone-density testing machines running Windows 2000, patching the machines wasn’t as simple as running anti-spyware software. “Because they were so heavily regulated by the various health care regulations that hospitals operate under, the hospital actually didn’t have rights to update the machine. They actually had to bring in an accredited third party.” Puterbaugh also says the hospital is implementing a new build of those machines with Blink baked in.

Mercy Hospital isn’t unique. Spyware has gone corporate. According to IDC, 80 percent of enterprise desktops are infected with spyware.

The impact of spyware can be counted in more than just lost CPU cycles and keystrokes monitored. “Many of our clients report that spyware is the cause of 30 percent of their help desk calls and often requires in-person IT support to remove the spyware or re-image the PC,” says John Pescatore, an analyst at Stamford, Conn.-based Garter Inc. To help, he says “spyware prevention must be integrated with antivirus and personal firewall protections to be effective in the long run.”

While research on the pervasiveness of spyware on corporate PCs and new products from large antivirus providers should help raise the spyware issue with senior managers, there’s another problem: ignorance. “Unfortunately, most organizations we’ve worked with do not realize they have spyware installed on desktops throughout their network,” says Marc Willebeek-LeMair, chief technology officer of intrusion prevention system (IPS) vendor TippingPoint, a division of 3Com based in Austin, Texas.

Spyware: The Antivirus Years

That said, anti-spyware software is still in its relative infancy. “We’re still at very early stages of spyware control technology,” says David Ferris, president and senior analyst of Ferris Research. He notes how “there’s no agreement on classifications of spyware, no independent product testing, no standard APIs allowing for files to be checked by third party anti-spyware filters, and vendors don’t share information.” All in all, it’s “a bit like the early days of virus control.”

Even so, “there’s a long-term market here,” says Ferris. “Just as we all have virus controls in place, so by 2007 all organizations will have spyware controls in place.” In fact, expect the two to not be so far apart. In fact “today’s leading anti-virus vendors seem natural candidates” to be tomorrow’s anti-spyware leaders. Those companies, he notes, are Symantec, Network Associates’ McAfee, and Trend Micro.

Indeed, a number of large antivirus vendors have announced new or upgraded spyware capabilities. Computer Associates, for example, bought PestPatrol last year and integrated the anti-spyware software into its enterprise antivirus software line, and is working toward having one console manage both the antivirus and anti-spyware software.

Recently, McAfee released Anti-Spyware Enterprise that works with the company’s Enterprise 7.1 and 8.0i products. Using the enterprise-level ePolicy Orchestrator, or ProtectionPilot for small-to-medium businesses, security managers can roll out and manage all PC-based anti-spyware (and antivirus) software in the organization.

Symantec also announced Symantec Client Security 3.0 and Symantec AntiVirus Corporate Edition 10 will both detect and remove spyware and help restore PCs damaged by spyware.

Quarantining Infected PCs

Beyond antivirus products incorporate anti-spyware features, security manager can also choose to run standalone anti-spyware products, such as WebRoot or InterMute, or look for similar functionality, as mentioned above, in a desktop-based IPS.

One upside to running IPS technology on the desktop is it gives enterprises a way to detect and quarantine suspect PCs running the software. Such functionality is notably the goal of two endpoint-security initiatives: Cisco’s Network Admission Control (NAC) program, initially a collaboration between Cisco and McAfee, Symantec, and Trend Micro; and Microsoft's Network Access Protection (NAP).

“We’ve entered every one of these initiatives, but I think they’re still a couple of years out before we see the fruits of these labors,” says eEye’s Puterbaugh. By comparison, IPS devices can also quarantine suspect computers now.

Given the capability of IPS to watch for a range of problems, including viruses and spyware, could such software obviate the need for antivirus on the desktop?

The answer is no, or at least not right away. “Antivirus is the most sacred thing on the desktop, and we’re definitely very clear to say that we complement antivirus,” says Puterbaugh. “We’re not in the position to say we’ll replace antivirus.”

Related Articles

Anti-spyware Fallout
http://www.esj.com/Security/article.aspx?EditorialsID=1292

Microsoft Update Onslaught Targets Spyware, Viruses
http://www.esj.com/news/article.aspx?EditorialsID=1284