Spies on the network

You may think that spyware isn't an enterprise issue: that security, infrastructures, acceptable use policies and a different mindset all protect big business from such things. Well, actually they don't. Spyware has moved out of the "paranoid about privacy" consumer arena and squarely into the "protection of sensitive data" enterprise zone. This means your company needs to seriously consider a dedicated anti-spyware product rather than relying upon firewalls, outdated security policies and a misguided "not in my back yard" attitude.

The truth is, no business is safe. A Fortune 500 company in the US took part in the Blue Coat assessment process and discovered that the website visited the most during the weeklong test was Gator.com, yet management had no idea what this was. In fact, Gator serves up more than 40 million consumers with advertising, in accordance with its End User License Agreement (EULA), in exchange for the installation of 'free' software. In the case of this particular company, Blue Coat was able not only to identify Gator.com as a problem on the corporate network, but to also identify the individual desktops that were responsible. The end users had agreed to the ad serving in order to run an e-wallet application. Not only did the application itself have no business relevance, but the employees had chosen to install it at work so as not to slow down their home computers.

Acceptable use policies need to be revised in the face of the spyware epidemic to ensure employees aren't unwittingly inviting infection into the enterprise - and effectively providing a legal loophole for spyware installation. By clicking through EULAs - the ambiguous wording of many being designed to wear down user defences through attrition - employees provide corporate permission for the loading of a spyware app. That spyware can then compromise data, and can leave companies liable for the violation of non-disclosure agreements. Yet standard desktop anti-spyware software simply isn't scalable to larger companies, and true enterprise anti-spyware products are thin on the ground.

So, as well as tracking down the most appropriate software for your company, it's worth reassessing your existing policies to make sure your company's assets are protected. The first part of this feature tackles this issue, while the second examines the enterprise-level anti-spyware products that can be bought.

Costs and consequences

Unlike hacker script kiddies and virus writers who, on the whole, are in it for peer-group approval, spyware is strictly business. Whether to steal data or to assault users with pop-up adverts the aim remains revenue. The perpetrator gets a micro payment for each pop-up ad that's 'viewed' and more pop-ups equal more cash.

The cost to the enterprise is often misunderstood and undervalued. Performance degradation is one of the most obvious symptoms of spyware infection, but the consequences of that degradation are often overlooked.

The latest Webroot Enterprise audit reported that each machine on an infected network averaged no less than 27 instances of spyware, and even when you strip out the dubious inclusion of cookies in that figure, you're left with an unacceptable average of 4.4 infections per desktop. This is high enough to slow down an individual machine to such a degree that CPU upgrades are purchased in order for essential applications to perform as required. Yet it's the spyware that's eating up the processor cycles, and simply removing it would have saved a substantial and unnecessary investment. Take that 4.4 infections metric, multiply it by the number of desktops in the enterprise and then consider the impact this has on bandwidth. Productivity issues are also often overlooked when analysing the impact of spyware, but they should be at the forefront of any real-world assessment.

The most harmless adware applications will result in time spent either looking at non-work related advertising or dealing with the management of pop-up and pop-under ad windows. Then there's the IT staff who have to spend an increasingly large amount of time dealing with spyware-driven support issues. Industry sources suggest as much as 20 per cent of support calls to Dell are for spyware-related problems, for example. And this is before you even start to consider the fact that spyware is often implicated with system instability issues. Last year, Microsoft estimated that 50 per cent of PC crashes involved spyware.

To get an idea of the annual IT staff costs of dealing with a spyware-compromised network, take a look at the Blue Coat "spyware cost calculator" at www.winproxy.com/products/calc_spyware.asp

Of course, this can only be a ballpark figure, but it's enough to concern those holding the corporate purse strings. All you need to input are the number of PCs within the enterprise, the average annual salary of IT support staff (the calculator itself will load this, and full details of that loading are available on-site) and the percentage of PCs infected each quarter. The latest Webroot Enterprise Spy Audit found that of the 60,000 systems scanned, a staggering 80 per cent were infected, so a starting point of 75 per cent for the calculator entry seems reasonable. For an enterprise with 1,000 PCs, a 75 per cent infection rate and average support staff salaries of 25,000, the calculator returns the true cost of spyware as being 135,000 each and every year. Even if you were to drop the infection rate to an extremely conservative 25 per cent, spyware would still be hitting your bottom line to the tune of 36,000 annually.

Every employer is at risk from the hidden costs of an enterprise-wide spyware infection. In the education, finance and healthcare sectors, for example, there are liability issues surrounding unauthorised disclosure of personal information. Furthermore, a large proportion of pornographic websites carry some kind of spyware or adware payload, so it should come as no surprise that objectionable and inappropriate material is also often displayed on infected systems due to adware components driving unsuspecting users to adult websites. This leaves the corporation open to legal action from users who are exposed to such content within the work environment. The cost can be immense to any business by the time you've added the legal fees, compensation payments, regulatory body fines plus damage to credibility and brand into the mix. So what can you do about it?

Anti-spyware software can effectively be broken down into three categories: block install, block execution, and search and destroy. The best-of-breed software will incorporate all three, but for the most part these applications simply don't scale to enterprise usage. However, over the last year an increasing number of enterprise-specific products have come to market.


Lavasoft Ad-Aware Enterprise (www.lavasoft.com), is the SE Professional edition with an Ad-Axis Management Console bolted on. This means you can expect similar results to those reported in our consumer spyware group test but with centralised management of scan scheduling, reporting and updating. Both server and client run as Windows services so that user interaction isn't possible, which is a good thing. However, the requirement for login scripts or an installer on each workstation rather than a centrally managed deployment isn't.

The text-based reporting function of Ad-Aware also lags behind most of the competition, many of which provide graphical executive summaries that make it much easier to extrapolate emerging trends. Ad-Aware Enterprise is well suited to small business networks, but it doesn't scale sufficiently for the larger enterprise.


Desktop and enterprise products may share the same spyware threat database, as is the case with Sunbelt CounterSpy (www.sunbelt.co.uk), but that's pretty much all they should have in common. So while CounterSpy Enterprise features 'active protection' as in the consumer version, the corporate equivalent adds a centrally managed admin console. Being able to create policies and assign machines to that policy using Active Directory or IP address, or to control the silent automatic push install of the agent and updates, are equally important.

There's no doubting the strength of the CounterSpy spyware database, and that's the key to the high detection rate of its products. Since Sunbelt had a contractual agreement with original partner Giant before Microsoft bought it, CounterSpy gets to access the Microsoft spyware signature database until July 2007. And that's in addition to its own database and the collaborative ThreatNet database. CounterSpy rates highly thanks to the policy-based active protection, powerful centralised management console and the most detailed and graphically appealing reporting tools of all. Sunbelt is also due to add anti-virus and firewall capability to build a fully integrated security suite.


Webroot (www.webroot.com/uk), probably the most recognised anti-spyware brand, has recently released Spy Sweeper Enterprise 2.5. The new product focuses on centralised management and active control.

Webroot's update servers provide both software and definition file updates to your central management server, and these can also be passed to optional distributor servers, which then pass the updates on to desktop clients. The enterprise servers also communicate policy information to the clients and store the results of spy sweeps in a Microsoft SQL server or embedded database as required. With control via a browser-based interface, system administrators can access and manage Spy Sweeper from anywhere on the network. This is a welcome new feature to version 2.5, as is a client engine upgrade that improves scanning speed by as much as ten times. IT staff need a clear view of all network activity together with the means to present that data to management with clarity. This means the alerting process must be able to provide the IT department with precise details of everything from definition availability to spyware detection rates and patterns.

The Spy Sweeper reporting process has been upgraded, and can now deliver graphical reports to display spyware by type for any date period, review prevalent trends and evaluate the percentage of systems infected. Protection from alternate data stream attacks, encryption of communications between clients and server, and the digital signing of downloads are all new, as is the ability to automatically create groups and move workstations into those groups based on Active Directory Organisational Units, workstation names and IP subnets.

Webroot's extensive proprietary spyware database is populated using Phileas, a malware crawler that uses dozens of high-bandwidth servers to control an army of bots scouring the Web for sites that contain malware and spyware. It's an active methodology, and one that enables Webroot to keep on top of the growing spyware problem by scaling the threat database to match. We continue to be impressed by the auto-updating for remote users, the flexibility in deployment and the load-balancing capability when using update distribution servers.

Blue Coat

Blue Coat (www.bluecoat.co.uk) offers a well-rounded anti-spyware product with a multilayered approach, providing pre-emptive protection at gateway, network and host levels.

Gateway and network protection blocks unwanted traffic from entering the network, as well as unauthorised applications from communicating outside of it; web filtering prevents access to unauthorised websites; host protection stops trojans, keyloggers and browser hijackers, along with application installation control and communication control using defined policies to manage information transfer.

Blue Coat offers a "Web Traffic Assessment", which involves the installation of a ProxySG appliance into your network for a week. During this time, it will identify and analyse your web traffic and then report on the real-world security vulnerabilities it uncovers, along with web traffic trends, resource availability and application bandwidth issues. It also recommends the right Blue Coat tool to rectify the problems it identifies.

The Spyware Interceptor appliance for networks of up to 1,000 users is one such tool. It's easy to deploy and uses Blue Coat's patent-pending SCOPE (Spyware Catching Object Protection Engine) software. SCOPE intercepts and analyses all executable web traffic, and uses preset policy preferences to remove known threats and potential spyware. It does this by analysing the executable code characteristics and comparing the referring site against a database of more than 8 million previously analysed sites.

Part of the secret of Blue Coat's success is in recognising that while spyware code itself is forever changing, the distributing websites are more static. It makes sense for spyware sites to hang around if they're making money, so Blue Coat tracks these sites and removes any potential spyware code from the sites' downloads.

Shavlik Technologies

Patch management plays a vital role within the Enterprise by preventing software security holes from being exploited. For those working within a Windows environment, Shavlik Technologies (www.shavlik.com) has recently released HFNetChk Protect, which combines patch management with spyware protection. This uses the same scanning engine as the Microsoft Baseline Security Analyzer, and provides 'agent-less' patch deployment. The addition of an integrated spyware component means you can use your existing system grouping by Active Directory organisational unit, domain name, IP addresses, IP ranges or hostnames configuration for spyware checks.

A graphical reporting interface makes it just as simple to create and view high-level summary reports as it is detailed reports of specific machines or groups. The single point of management approach is a good one, but patch management and spyware scanning aren't a complete security solution: you still need to factor in both anti-virus and firewall protection.

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.