Anti-Spyware Gets Rootkit Removal

New anti-spyware functionality highlights the enterprise security question: should you go for best of breed or opt for a security suite?

What’s the best way to stop spyware?

Increasingly, it requires not just aiming for spyware—including adware, gray ware, nuisance ware, Trojan applications, and drive-by downloads—but also the applications spyware primarily targets and the obfuscation techniques it employs.

Accordingly, companies that sell anti-spyware are expanding their purview. For example, the recently released version 3.0 of Spy Sweeper Enterprise, from Webroot, can now block unapproved ActiveX and Browser Helper Object activity, and prevent software from modifying Internet Explorer’s list of trusted sites, to stop attacks that require modified IE security zone settings.

In addition, Webroot’s software can detect and remove rootkits. As Bryan Gale, product manager for Spy Sweeper Enterprise, notes, “rootkits are not spyware,” though they are increasing used in “a blended malware threat, where a Trojan is masked with rootkit techniques, to keep it masked from the operating system or other applications.” In other words, behind that rootkit may lurk spyware.

Yet rootkits are notoriously difficult to find and eradicate, since they often hide from the operating system. To cope with that, “we essentially bypass the normal Windows APIs for reading and writing to disk,” says Gale. Instead, Webroot uses to its own API to build a picture of current disk activity, which it then reconciles with Windows’ view.

“Anything that’s a discrepancy or a delta, that Windows tells us it doesn’t know about, we can flag that as a potential rootkit.” (Spy Sweeper also allows administrators to create a white list of processes and applications to ignore, such as hidden partitions used to restore an operating system.)

For particularly stubborn rootkits—those with multiple processes that can rename and launch helper applications when they sense attempts to eradicate them—Spy Sweeper flags offending files for deletion upon reboot, using a kernel that loads and deletes said files before Windows launches.

Anti-Spyware: Standalone or Suite?

Webroot, which only sells anti-spyware software, says it is the first company to offer a product with such rootkit detection and removal capabilities. This highlights an interesting anti-spyware debate: Should enterprises purchase what analysts generally term “best of breed,” dedicated anti-spyware software; or opt for security suites that include antivirus, anti-spyware, a personal firewall, and perhaps more. The implication: spend more to get better spyware protection, or save money and get an all-in-one product which may be easier to manage.

As Forrester Research analyst Natalie Lambert notes in a January 2006 report on the anti-spyware market, “To date, best-of-breed solutions have won out—only 24 percent of organizations use client security suites when deploying an anti-spyware tool, whereas 65 percent use standalone solutions.”

Yet all-in-one suites have an obvious economic—and sometimes, manageability—upside, which is why “many organizations prefer a bundled security solution which includes antivirus, anti-spam, and anti-spyware,” writes Matt Anderson, a Radicati analyst, in its “Corporate Anti-Spyware Market, 2006-2010” report.

The Future of Anti-Spyware

Going forward, predicts Forrester’s Lambert, “organizations will begin to switch to client security suites as these tools catch up to best-of-breed tools and offer the same level of functionality with less administration and management overhead.”

So far, however, no one suggests that’s happened, and companies today still utilize a diverse number of anti-spyware products, in both standalone and suite form. According to Radicati, the leading vendors of enterprise anti-spyware software (and their 2006 market share) are Webroot (24.9 percent), CA (22 percent), Tenebril (11.5 percent), Sunbelt (10.9 percent), McAfee (8.1 percent), Trend Micro (6.5 percent), and Symantec (6.4 percent); followed by SurfControl, Aluria Software, FaceTime, Lavasoft, and Microsoft.

Market competition is notably increasing. For example, Microsoft recently announced it will offer managed antivirus and anti-spyware services for both consumers and businesses. (Its next-generation operating system, Vista, will also include a two-way firewall.)

Such moves aren’t surprising, considering The Radicati Group estimates worldwide revenues of corporate anti-spyware software—on both desktops and servers—will rise from $214 million in 2006, to $1.4 billion in 2010. That estimate doesn’t even include the lucrative consumer anti-spyware market, which is where many new anti-spyware capabilities debut. In other words, the anti-spyware competition may only be getting started.

Related Articles:

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.