Q&A: Eradicating Spyware in the Enterprise

Finally there's software to let enterprises remove spyware.

Spyware, scourge of the corporate world? While the extent to which malicious software (including spyware, adware, and Trojan software) infests the enterprise isn't completely known, Webroot Software and Earthlink recently scanned 1.5 million consumer PCs for spyware. Each contained an average 27.5 pieces of potentially malicious software.

For consumers, the results of spyware infestations range from the annoying (such as opening pornographic Web sites) to the egregious (including recording all keystrokes to discern bank account information and passwords). The same goes in the corporate realm, only with intellectual property at risk.

Until recently, anti-spyware tools with the management features needed to administer thousands of users didn’t exist. Two recent releases—Webroot’s Spy Sweeper Enterprise and PestPatrol’s Corporate Version—give enterprises a way to eradicate spyware.

To discuss spyware, and what organizations can do about it, Security Strategies spoke with Webroot’s Christine Stevenson, vice president of marketing, and Brian Kellner, the Spy Sweeper Enterprise product manager.

You’ve offered consumer anti-spyware software since 1997; why is enterprise-class software only appearing now?

Stevenson: The problem [and thus the need] is accelerating at a much more rapid pace than we expected. We … expected it would be around the end of 2005 [when] spyware eclipsed viruses in terms of daily growth rate … and now it’s poised to overtake viruses by the end of 2004.

[Also] one of the things that was important to us was to truly architect an enterprise product from the ground up, rather than trying to re-architect the consumer product for an enterprise product. We had to build it from the ground up.

What differentiates enterprise anti-spyware from its consumer counterpart?

Kellner: In thinking about an enterprise feature set, it really comes down to you needing to get the client onto [many] desktops … So enterprises need to deploy, update, configure, and control … and report on what’s coming back to them. That’s the basic feature set of the enterprise product.

Are there unique challenges, tackling spyware at the enterprise level?

There’s a greater need to control how the client is used, enforce it has the definitions, [and] ensure sweeps run at a regular frequency, and that sort of control isn’t in the consumer space at all. There’s [also] a [much greater] need in enterprise environments to … fit within [the] architecture and deal with proxy servers, things like that.

What’s driven your customers to use enterprise anti-spyware tools?

We’re seeing three compelling things that are moving them: the desktop impact, bandwidth, and security concerns.

One [hi-tech] customer was rebuilding three to five systems a day out of 1,000 systems [due to spyware]. This is an environment with a leading antivirus software package …

In many enterprises today, spyware is the biggest user of port 80 in terms of consuming bandwidth.

Is centralized administration for enterprise anti-spyware software mandatory?

Yes. [Just try] to go to 500 desktops and change all the [spyware] settings. Today, companies [understand] the antivirus [metaphor]—how often they’ll update definitions, run a sweep. They want to make sure [anti-spyware] is [similarly] centrally managed.

Also if someone does find a piece of spyware—a key logger or system monitor, something that is potentially dangerous—who’s to say they’re going to tell the right people about it? In our system, you can put a list of [who needs to be told]. For example, if your R&D guy’s PC has a key logger on it, who needs to be notified?

Take Valve Software [which makes the Half-Life video game] … its CEO got a key logger on his system, and [Valve] lost a lot of source code on their product to hackers. It set them back six months [on the release of Half-Life 2].

How much control do end users get?

Stevenson: Spyware … is not a black-and-white space. So to give end users in an enterprise space control over what they’re removing from their system is not the best option. The IT department might have a remote access tool on the system that the end user shouldn’t be removing … So enterprises need that centralized control of determining what to remove or not.

What exactly do users see on their PCs when enterprise anti-spyware is installed?

Kellner: We give companies three options. One option is … completely invisible; the user doesn’t see it’s there, the sweeps run, it reports back … [However] some customers like to give users [more] … control. So another option is … the client is there [as an icon in the tray], the end user can bring it up, but it doesn’t really do anything. It says when it’s doing its work, and can animate the icon in the tray so users know when it’s running.

The third is a highly visual option, so when it’s sweeping, it really shows what’s going on.

From the management console … you can also delegate down discrete capabilities—sweep zone, frequency of scanning, potentially even some quarantining [capabilities]. For some power users, [companies] want to allow people to interact with the software.

Are there any classes of spyware your software can’t easily quarantine?

Spyware is evolving very, very quickly … it’s an arms race. [The goal] in the spyware game is making something that is difficult to get off the system. Now, is it possible that someone will develop something that is really hard to get off the system, yes, that’ s possible. What … we try to do is really prevent them getting it on [the PC] at all, using proactive shields. [For example,] blocking software that tries to change [the user’s default] homepage.

So you’re looking for prevalent attacks and trying to block them in advance?

Exactly. And in the next release, we’re putting in more mechanisms to help stop [attackers] from messing with [other] host files. We keep looking at ways of innovating so that we can detect spyware.

Stevenson: Those proactive shields allow us to move to a more heuristic approach to detecting and removing spyware, rather than just waiting until we have a definition, then doing a “sweep and remove” once a week. That’s really an important [feature]… we’ve seen some spies now that morph multiple times in a week, so to have that ability to [still] prevent it … is important.

How much do PCs not patched against the latest vulnerabilities add to the spyware threat?

Kellner: Some of the drive-by downloads [exploiting known vulnerabilities] are amazing. You go to a Web page and pow, you’ve got spyware … Some of the Web pages are insidious, they come up and say, to install this software, hit no. So you see the box and automatically hit no [to dismiss it]—and it installs the software. Claria, the leading adware maker, made, I think, $90 million dollars last year. They pay a lot of programmers to be very creative …

But the other key concern is if you have a disgruntled employee. If they bring in a disk that has a key logger, it doesn’t matter what they’re doing on the Web.

Software aside, could companies do a better job of spyware education?

Stevenson: You can try the education path, but the reality is [users still get spyware]. Here’s [an anecdote] from one of the two leading antivirus firms … spyware was so bad that their IT department, over one weekend, went and took every machine within their headquarters and wiped the hard drive, then reinstalled the operating system, put on all [allowed] applications, and locked [PCs] down so that no one had the ability to ever install any program ever without IT installing it.

You can see very quickly how that isn’t a manageable [approach]. You cripple people’s productivity … and also IT’s, because they spend all day installing programs for people, as opposed to what they’re supposed to be doing. You just can’t run a business that way. And … you’re talking about an antivirus company, right; these are people who presumably know better.

So the company in question just had to give up on the lockdown approach?

Yes, it lasted 30 or 45 days before they were so frustrated that they backed down from it a little bit … I think [overall] it was more to drive the point home to the rest of the company that this is a problem, we need to address this.

Is there any new, near-future functionality we should expect from enterprise anti-spyware tools?

Kellner: There are two sides to this. One is continuing the fight against spyware. So you’ll see more proactive measures, greater intelligence and removal capabilities, all those things that have to do with fighting the battle.

On the other side, you’ll see [more of] what IT needs … [such as] intelligent distribution of files across the enterprise, things to let mobile users have different rules while on the road, where to get their updates—maybe they get them from us. [In other words] the sorts of things you see from the antivirus folks [today].

Can we expect integration between enterprise antivirus and spyware products?

I think the IT person’s nirvana is one console out on the client that runs everything. Today that can’t exist, because the antivirus guys don’t handle spyware. But it’s certainly our intent to give IT personnel this one… integrated console. [But] it really has to do with how the industry evolves. It’s really something that’s probably about six months out now.

Related Articles:

Earthlink Sees Spyware Infestations Increase
http://info.101com.com/default.asp?id=8139

Configuration Management Goes Mobile
http://info.101com.com/default.asp?id=6742