Belt and Suspenders

CounterSpy end of life occurred on June 1st.   I saw a post from someone whose company runs both a commercial antivirus product and CounterSpy.   They were wondering what secondary product they could replace it with.   I’m having flashbacks to 2007.

In the mid-part of last decade mainstream antivirus products were slow to adjust to the onset of spyware.  User’s computers would routinely get loaded down with browser toolbars and software that would serve ads, hijack pages and steal data.   To combat this, products like PestPatrol and Webroot Spysweeper were deployed in the enterprise.   (CounterSpy came out just after I made a purchasing decision so it wasn’t evaluated).

Eugene Kaspersky wrote, “there is no such thing as spyware”.   He branded “spyware” a marketing term designed to sell new product when your existing anti-malware solution should be enough.   It was a controversial stance if only because the major antivirus venders in the US at the time were playing wait and see.    The few of them that stuck their toe in the water by detecting adware/spyware were sued.  The terms of service were plain as day the plaintiffs argued.  

Eventually we got to a point when, in my opinion, antispyware became redundant.   I’m surprised to see anyone still WANTING to implement/manage a second anti-mailware product, and that users would accept that overhead.    I think if you need a second anti-malware product, then the first isn’t doing very good job.

From the GFI link, it looks like they are offering free upgrades to VIPRE.   In the forum, it sounds like you could use that as a scheduled scan but you wouldn’t want to run two real-time antivirus scans at once.  

Obviously I think a single antimalware solution is more than capabile.   If yours isn’t, I would suggest looking at alternatives such as VIPRE, SOPHOS, and Symantec Endpoint Protection.

A more complimentary add-on would be url blacklisting.   I’ve written before about how a product like BlueCoat ProxyClient extends filtering to the laptops when they are outside the corporate network.   Some anti-malware products may even have something like that natively.

What do you think?   Are secondary scanners necessary for every day use?

2 Comments

  1. I’ve never been all that impressed with signature-based AV anyway. How often do you come across a user who’s loaded up their machine with malware despite having updated AV, especially outside the enterprise? And does AV manage to clean it, or do you reach for a tool like Malwarebytes or Combofix?

    On top of that, you’ll never see AV blocking the Bing or Google toolbars. Most commercial AV allows commercial keyloggers and remote control software. They detect Back Orifice, Netbus and sometimes VNC remote-control utilities, but rarely detect Dameware MRC or PC Anywhere.

    It’s a shame, there are tools built into Windows to do executable whitelisting, but there aren’t any good tools to build whitelists. It seems making users non-admins and using executable whitelisting would almost completely solve the problem. There was the Core Force software (http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=project&name=Core_Force), which ported systrace and pf from OpenBSD, but they gave up on that project after a while.

    • that’s a good point. Signatures are imperfect. Doubling down with more signatures from second vender isn’t the best.

      Whitelisting looked like it was going to catch on for a very brief moment. It seemed like there was a lot of interesting in products like bit9. Instead seems the main av venders have gone to a community based file reputation type of system.

Comments are closed.