Fighting spyware with 'spyware'
Webroot's enterprise security software adds a new layer of defense
- By John Breeden II
- Aug 13, 2006
Some words are scary to a computer user: rootkits, spyware, keyloggers and bots. That's why it's so interesting to find a company like Webroot Software, which is using some of the same technologies employed by hackers in order to fight back.
Viruses have been all but conquered by regularly updated software. Spam is a bit harder to combat, because fighting it relies on a computer to make rational judgements about content, something they're notoriously bad at. Try writing a legitimate letter to your friend about Viagra and see if it gets through their spam filter.
But while the world has been winning the war on viruses and gaining ground against spam, hackers have been advancing on a new front: spyware. These days, we're talking about bad programs that know how to install themselves in the root directory of a computer, so detection is difficult and removal is even harder. And the newest Trojan horses and keylogger programs use kernel-level drivers that can both help them avoid detection and prevent anti-spyware programs from running.
Webroot's Spy Sweeper Enterprise suite uses some of the same technology. For instance, to combat rootkits, the Spy Sweeper client employs a technology called direct-disk scanning. This completely bypasses the Microsoft Windows OS to look at a drive, allowing Spy Sweeper to find all masked files on a drive by more or less becoming, or at least acting like, a rootkit itself.
Webroot also uses bots. Every day, bots from the company's high-bandwidth servers crawl millions of Web sites looking for spyware. When they find some, the bots automatically use it to attack unprotected and unpatched systems on Webroot's own internal test bed. Data from the attack is sent to a 40-person research team, which creates new protections as needed and pushes an update to enterprise.Easy installation
The GCN Lab loaded a copy of Webroot's latest network level protection suite, Spy Sweeper Enterprise Version 3.0, on our test network (the latest standalone consumer product is version 5.0). As an administrator, you can do a standard client install via Windows' push technology, or use Webroot's own push installation. We actually liked the Webroot version better. For example, you can specify a range of IP addresses on your network and have it install Spy Sweeper to all the clients within that range. Systems need to be Windows 2000 or better to accept the latest version of Spy Sweeper, though systems running older versions of Windows, such as Windows 95, can accept an older version of the program and still report to the central management console.
You can control the resources a full system scan demands of each client, which can be a help to users of aging equipment by preventing the scan from locking them out of their applications. For instance, you can restrict the program to using one of every 10 processor cycles. We didn't notice too much of a performance bump when throttling back on newer systems, however, so most admins will probably want to leave the resource controls at 100 percent.
Once the client programs were installed, we discovered an extremely simple interface that hides the complex nature of Spy Sweeper. Using a Web-based management console, an administrator can see everything going on at each of the systems on the network'including infection status, top spyware threats (within the protected network), status of the server and time since the last sweep was ordered.
The menu options are also color-coded, so you don't have to dig into them to know the health of the network. For example, when one of our test systems became heavily infected with spyware, the menu option for infection status turned red, alerting us of the problem from the top-level button.
You can also drill down into individual systems. When we looked at one of the test systems where we'd dropped a lot of spyware, we could see the type and where it was located. We even tried to trick Spy Sweeper by putting an uninstalled executable file on the Windows desktop. Even though it wasn't installed, Spy Sweeper identified and offered to eliminate it.
The management console is extremely powerful. Individual computers or groups can be assigned different rules, or what Webroot calls 'shields,' independent of all others. If you have a public terminal, for example, you might want to completely lock it down so nothing even remotely suspect can be installed. Known Web sites where spyware sends data can also be blocked.
One of the hotly contested issues in spyware is the actual definition of 'spyware.' Companies marketing spyware in the guise of free screensavers or utility programs often cry foul if they're called spyware. This has kept many anti-spyware companies from implementing ways to remove them.
Spy Sweeper handles this by grouping such 'questionable' programs into an informal group not specifically labeled spyware. You can still have the program remove them, even automatically, but they are never identified as spyware. In our tests, these included file-sharing programs and informational tools like weather reports that run in the system tray.
To test Spy Sweeper's ability to remove the dreaded rootkits, we installed a few on a client. Surprisingly, Spy Sweeper didn't find them out of the box. The reason, according to company officials, has to do with enterprise machines that have hidden images for restoring a crashed system. These hidden images have rootkit-style properties but are legitimate tools on most networks. Therefore, Spy Sweeper's direct-disk scanning is not enabled by default. Activating it is as easy as checking a box. After we did so, all rootkits were found and eliminated. If you have a rootkit-style program you want to keep, you can whitelist it.Checking signatures
If we have a reservation about Spy Sweeper, it's that the software is currently signature-based. The good news is that Webroot bots are out there crawling the Web for anything new. Still, something could slip through if you happen to be on the very front end of an outbreak. There is some behavioral-based awareness built into the program, such as when a Zip file is decompressed and Spy Sweeper looks at the behavior of the files in question. Company officials say that as they learn more spyware, Spy Sweeper will shift more toward behavior modeling.
That said, one of the advantages of signature-based protection is that incremental updates are usually small. No update we experienced was over 20K, and none required a reboot.
Spy Sweeper Enterprise was extremely easy to install and use across our network. Once configured, constant updates from Webroot ensured protected systems did not become vulnerable to any new threats. In addition to antivirus and anti-spam, a dedicated anti-spyware program is becoming a necessity. Spy Sweeper fills the role nicely.
John Breeden II is a freelance technology writer for GCN.