Is Too Much Anti-Spyware a Bad Thing?

An end user with two real-time anti-spyware engines asks if too much anti-spyware software is a bad thing

Is too much anti-spyware software a bad thing?

That was the question faced by Ron Reisterer, the director of technology for the Decatur Public Schools in Michigan. The school district uses Webroot’s Spy Sweeper Enterprise as well as Symantec Corporate Edition Antivirus software to protect 500 PCs running Windows 2000 Professional.

“The district must now upgrade to Symantec’s new version 10. This upgrade presents a dilemma. Symantec tells us not to run any ‘real-time’ anti-spyware products like Spy Sweeper alongside of their Version 10. Webroot says that this is nonsense,” he says. “What’s an end user to do?”

Unfortunately, after speaking to anti-spyware vendors, analysts, and technology experts, the answer isn’t clear. It’s also difficult to tell whether Symantec’s advice is made for technological or competitive reasons—or both.

A Symantec spokesperson told us: “Because Symantec Client Security 3.0 and Symantec AntiVirus Corporate Edition 10.0 contain a real-time spyware scanning component, Symantec does not recommend running third-party real-time spyware scanning programs on the same computer. The concern is that if two real-time components are both accessing the same file, results can be unpredictable.”

The issue, then, is real-time scanning. “Customers can run other anti-spyware programs on the same machine, they just shouldn’t have multiple products running real-time scanning. Most anti-spyware products on the market don’t offer real-time scanning, so this won’t be an issue,” continues the spokesperson. When a PC does contain two real-time scanning products, the advice is to deactivate one of them; just not Symantec’s. “You can turn off our real-time … we do not recommend it,” says the spokesperson.

Others agree that running two real-time security scanning engines at once can noticeably slow a PC. For example, running a Webroot Spy Sweeper scan at the same time as a Symantec Norton Internet Security (NIS) 2005 scan can “make the CPU jump to 50, 70, 100 percent, but for only brief periods of time,” notes a Webroot spokesperson. “I believe this is primarily because of Symantec’s engine. I also believe this is their blanket statement to avoid having to share the desktop.” Then again, rigorous tests of the CPU utilization of both products, alone or together, weren’t available.

Security Products Don’t Play Nice

Symantec is hardly alone when it comes to advocating a pick-one-or-the-other approach. “Most of the vendors have similar recommendations, and in general competing desktop security products do not play well with each other,” notes Amrit Williams, a research director in Gartner’s information security and risk practice. In particular, “it is not uncommon for system instability, generally in the form of performance degradation, to occur when running multiple, competing desktop security products. And, of course, it is in Symantec’s best interest to not run in conjunction with competing products performing the same functions.”

For users of Symantec’s corporate antivirus software who want to disable real-time anti-spyware scanning, the manual doesn’t detail how. A Symantec spokesperson, however, provided information, noting “you can go into the configuration option for Auto-Protect and turn off scanning for security risks.” The spokesperson says spyware scanning is a discrete option.

Given Symantec’s advice, some suggest it tweak its message. “I can’t think of any conflicts by running multiple antivirus and/or spyware scanners. If Symantec knows of specific problems, then I think they should work to resolve them,” writes privacy advocate Richard Smith in an e-mail message. “It’s not reasonable to tell customers to stop running competitive products.”

The Enterprise Anti-Spyware Market Changes

What’s interesting, perhaps, is how “competitive product” no longer just means “antivirus scanner,” since antivirus companies—long slow-to-market with an anti-spyware component or product—have recently begun to scan for additional types of threats. Even so, many users, including Reisterer, don’t want to just give up their best-of-breed tools. “I am concerned because Spy Sweeper Enterprise has been doing a great job keeping our clients free of junk.”

Today, of course, there are a number of anti-spyware options—some dedicated, some not. Choices include the free Ad-Aware, Spybot Search & Destroy, and Microsoft’s AntiSpyware (now under fire for not blocking Claria’s Gator, in the wake of rumors Microsoft might purchase Claria), as well as such commercial software as Computer Associates’ eTrust PestPatrol, Webroot’s Spy Sweeper, Trend Micro Anti-Spyware (formerly InterMute), and increasingly, anti-spyware capabilities built into antivirus software from such vendors as McAfee and Symantec.

Home users may run more than one of the above products, because each might catch malware the others miss (or purposely ignore). Yet the home-PC-user approach doesn’t scale to enterprise-network levels; it’s too much work for time-strapped IT managers. That’s why enterprise-grade anti-spyware includes a centralized management console for rolling out anti-spyware software to end-user PCs, then facilitating ongoing management of the software, and quarantining and eradicating known or suspected spyware.

Beyond the management challenge, IT managers frequently also don’t want end users to know a scanning engine is present, plus running multiple real-time scanning products can result in a processor hit. “The risk lies mainly in performance,” says Gartner’s Williams. “Multiple security products potentially scanning the same file at the same time (or attempting to) can potentially introduce spikes in processor and memory consumption which would result in slow performance or the perception of impeded productivity.”

Slow performance could lead enterprise users to try and deactivate scanning software themselves. “For desktop security to be effective, it needs to be as transparent to the average end user as possible. If not, they will make attempts to disable or bypass it, as well as assuming that all performance may be related to the security software which undermines their confidence in the solution,” he says. Of course, IT managers would rather avoid this scenario.

Good Enough Instead of Best

In fact, while many CIOs still adopt a best-of-breed anti-spyware product, others are changing their thinking when it comes to managing antivirus, anti-spyware, personal firewalls, and host-based intrusion prevention. Given the perceived overlap between these four software types, Williams says many large companies have told him that “they prefer an integrated solution with enterprise management that offers ‘good-enough’ protection, versus four separate products that are considered best of breed but do not have any integrated enterprise management.”

He stresses, however, that this is an enterprise-only trend. Approaches differ “on the consumer side or in organizations with small environments that do not have as strong a need for centralized enterprise management.”

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.