Spyware part 2

This is part two of a look at what we can do to keep Spyware off the corporate computers. Part 1 is posted here. I’ll do my best not to repeat myself.
Antivirus vendors are expanding into the area of Spyware products. I think I would prefer to use them as the corporate spyware solution. You don’t have to install an extra product, you don’t have to pay for another product, you get to use a known administration scheme. For this reason I chose to review Symantec Antivirus Corporate Edition version 9.0 first.
SAV 9.0 CE
Normally I wouldn’t go near the first build of a Symantec release, but enticed by the potential protection against Spyware and some other new features, I jumped right into testing.
A Trusted company. Likely to become a leading player in anti-Spyware
Single application for both antivirus and Spyware
Version 9 has greatly improved real time protection (its faster and it starts earlier)
Threat source, not something to help with antivirus but cool in tracking down file share attacks.
How good is their Spyware definitions set really? Its an unknown.
Only works in manual and scheduled scan modes. No realtime protection.
Only logs or deletes the files it finds. It doesn’t uninstall Spyware for you.
BSOD when I attempted to install 9 over 7.03. Not good
Potential problems with XP service pack 2 (need to set registry keys)
Potential error with Outlook plugin.
Problems with uninstall of previous version where install path not available (curse you MSI)
Until the outlook problem is fixed, this is a no go for us. ETA for fix, late June or July.
Adaware or Spybot
I’m lumping these two together. I don’t use adaware, but I believe it has the same problems
Able to remove files to a quarantine and restore them if necessary.
Large established Spyware database
Familiar interface for the “advanced” users
No centralized reporting
No centralized update
No centralized scheduled scans
Not ready for the corporate world.
Pest Patrol
These guys have a new version due out on Monday. I am reviewing the earlier version at this time.
Ability to run from login script, pretty cool.
When run from login script, you only need to update the server
Real time protection
Their implementation guide requires a INSECURE implementation method in which all authenticated users have permissions to the files in the login script directory. This is really bad.
The database seems a bit overly broad. I think I’ve removed the categories, but I am worried about false positives as recovering from a false positive doesn’t seem as simple as with spybot.
Alerting is email only.
If run on the local systems, my sole ability to manage it is by setting up a scheduled task to run a scan
Not ready for prime time. Lets see how the next version does. It looks promising based on the info I have been sent.
Webroot Spysweeper Enterprise
The corporate version is in beta. I have not been contacted after leaving my contact info on the sight. It does sound promising.
Websense would only really make sense if you already own it or if you have a project to block porn also. By adding the Spyware category it prevents systems from going to sites listed as Spyware in their database. This can prevent new installs and prevent old installs from phoning home. I think this is a good part of a two layer approach.
Overall Conclusion
Sometimes companies like Garter say the field is maturing…there is no perfect product…just buy now and limit the damage. The problems is you are being charged premium prices for an imperfect product. Also the “experts” will give us grief if we implement something that isn’t as easy to use as their favorite product. Since NO Spyware product has a perfect detection rate (from anecdotal evidence) they are bound to remind us how defective our product selection was. You can see why I might want to delay a decision for a while.