In-Depth

What's Ahead for Enterprise Anti-Spyware

Performance takes biggest hit from spyware today; look out for spyware working as a phishing aid

• By Mathew Schwartz
• 04/06/2005

When it comes to spyware, most consumers with anti-spyware software nuke anything remotely questionable.

Enterprises, however, have different concerns. “Enterprises perceive the primary threat of spyware as the performance impact on their computers,” notes Ferris Research analyst Gabriel Golden. “Interestingly, they perceive the threat of the actual spying to be minimal, or even theoretical.”

Enterprise-grade tools must work accordingly. To discuss security managers’ perspective on anti-spyware tools, Security Strategies spoke with Andy Ostrom, director of marketing at Braintree, Mass.-based InterMute, which recently released a new enterprise anti-spyware tool.

How pervasive are enterprise spyware infections?

Forrester says eight percent of corporate systems have spyware, which to me seems ridiculously low. Other analysts have come out and said it’s in the 90-percent range.

What’s the biggest problem enterprises have with spyware infestations?

Most of the real impact is performance degradation, and usually one piece of spyware doesn’t do that to you. Now, that being said, … there is always the risk of getting a key-logger or one of the pieces of software that’s trying to steal information.

But the bigger problem we see is PCs are getting clobbered, and organizations are investing in new PCs because they think they’re too slow for applications when actually all that CPU time is being wasted doing work for somebody else.

Are there any types of spyware that resist cleaning?

There’s some spyware that’s really resistant. So far we haven’t found anything we can’t get rid of, though sometimes they take a little more work. Some of the variants of CoolWeb Search [for example] are really nasty. They watch each other’s back, and if you just get one … as soon as you log out, it reinstalls itself. And there’s no easy way to get it out, or you have to do some really funky gyrations at boot time to get rid of it.

[So] we’ve embedded CoolWeb Shredder into the enterprise product … It’s a freeware utility, it was created by a guy in the Netherlands … just to deal with this CoolWebSearch software.

What do security managers expect from an enterprise-grade anti-spyware product?

There are three things that are really, really key for any enterprise solution … A lot of folks that have what they call enterprise products have taken a consumer product, put a little way to distribute it in, and put it out there. Then what happens is, you still have a need for the end user to be involved. We think that’s a mistake. With our product, the software gets loaded on [PCs], and there’s no user interface. Why, if you had an enterprise with 10,000 users in it would you want to have 10,000 users mucking around with security software?

The second requirement is minimizing end-user impact … With our scanner, even though an administrator may set it to run at an off hour, if you travel with a laptop, your off hour may be your working time. So … we have the scanning engine scanning for activity that’s created by the user, and if it sees that it backs way off … and it waits for idle time. There’s no reason why a spyware scan (or for that matter an AV scan) should take priority over users getting their work done.

Third is ease of administration and use … [Our] console is a Web-based application, so if you have an organization with multiple locations, you can still manage them from one office …

How automated is spyware detection and removal?

We don’t recommend turning on automatic cleaning when you first start off, but automatically cleaning is one option. That being said, you can select a single system out there and run a single scan, or single clean …

What we’ve seen with existing customers is … it usually takes them a week or so of fiddling with it a little, getting the groups and policies they want established, then they forget about it. It just works.

Why do organizations need to customize anti-spyware policies?

It depends upon your organization. One of our customers is a municipality, and they have a police department that does cyber investigations, so they need to be able to access spyware, because they’re looking into it.

Why not just run automatic spyware cleanup from the beginning?

We believe that false positives are a problem in our industry in general, and we try to not be too aggressive and send up alarms about things that are not [definitely] spyware. Also, [it’s open to interpretation]. Take Gator: 99 percent of the world thinks of Gator as spyware, or as malware. Probably there’s one percent out there, including the folks at Claria, who don’t.

So there might be something in our database that people [in general] want removed, but … in your particular environment, you may want to keep that. And certainly by running a scanner without automatic cleaning turned on, you’ll see those things pretty quickly. It’s just about being cautious.

Do anti-spyware providers share their spyware databases with each other?

That’s something a lot of people ask me: Do the companies share databases? No. Should we? Probably.

Unlike the antivirus world, spyware isn’t black and white; there’s a lot of gray. That’s another thing our industry has to deal with … What is spyware, what isn’t spyware, because things we think aren’t, somebody else might say are.

Do anti-spyware companies’ spyware appraisals differ much?

A lot of the current competition in the anti-spyware space, they say this one gets rid of 25,000 pieces of spyware, and this one, 27,000 pieces of spyware. Well, it’s not about the number … For example, [take] Gator … Gator has some registry entries, and some files, but Gator uses only one file directory. Now some vendors, to inflate their numbers, enumerate every file and registry key …

Playing the numbers game is an unfortunate thing that’s going on right now, and hopefully as the industry matures it will be more about does this solve my problem.

Beyond reducing false positives, where will anti-spyware software go from here?

[InterMute’s] background started in the ad-blocking space, so we firmly intend this spring to add our ad-blocking technology to the enterprise anti-spyware product, so … on a corporate-wide basis, you can deploy a corporate ad-blocking capability.

What’s the incentive for blocking advertising on an enterprise level?

Customer studies show you can typically get 13-16 percent bandwidth savings by blocking—especially the Flash and multimedia ads that come up. These are things the corporate IT guys probably don’t feel they should be paying to display on their corporate networks in the first place. Not only are these ads a distraction, but they’re a time-waster for employees, and they make your Internet browsing experience more unpleasant.

Beyond that, [expect more] scalability, reporting—nothing revolutionary at this point, more evolutionary—and providing support for some additional environments.

Is spyware being used to aid phishing attacks?

We think there’s naturally a transition from [phishing] to a more spyware-focused kind of attack. We haven’t seen it yet, but we certainly envision the possibility you’ll see phishing attacks coming from spyware …

Just think about a browser helper that was waiting for you to type a name from a list of 10-15 Web sites … and when you type in Citibank … it redirects you to another site that looks like Citibank. So … because spyware [can] integrate into the browser, there is the potential for folks to take advantage of those for these kinds of attacks …

But we really haven’t seen much of that yet. The potential is there, but most of the spyware we see is annoying and wasting of resources, and hasn’t been malicious yet. We think that will be the next major activity, however.

Related Articles

Ignorance of Spyware in the Enterprise Still High
http://www.esj.com/Security/article.aspx?EditorialsID=1322

Microsoft Update Onslaught Targets Spyware, Viruses
http://www.esj.com/security/article.aspx?EditorialsID=1284