Active Protection is CounterSpy's near-real-time monitoring feature, which consists of many centrally enabled monitors, as Figure 1 shows. These monitors enforce an end user's ability to perform risky actions, such as installing ActiveX controls and browser helper objects and editing the HOSTS file. In contrast to the detail CounterSpy provides about the threat database, the product doesn't describe what each monitor does, forcing you to refer to the product documentation for more information.
The default action of any policy is to merely report on spyware, which lets you see what threats the product is finding. After a few scans, you'll want to increase the protection to Quarantine or Delete. The Quarantine setting moves perceived threats into an isolated repository, from which you can remove items that you later discover aren't threats. CounterSpy lets you set different actions per spyware category. For example, you can delete adware and keyloggers but quarantine browser plug-ins. Managing spyware that's in quarantine is cumbersome, however, so for a category such as cookies that generates lots of threats, you'll want to bypass the quarantine and use the Delete setting.
CounterSpy Enterprise includes seven prebuilt reports that you can customize by date. You need to be careful interpreting the data because the reports seem to show multiple occurrences of unique threats found over a period of time. Let me explain what I mean. If you scanned a computer 10 times and each scan showed the same threat, the reports would show 10 instances of that threat, which is misleading. I'd expect reports to show that threat just once. CounterSpy uses Crystal Reports to generate the reports, so you get additional features such as drilldown. You also can export reports as an Adobe PDF file, Microsoft Excel spreadsheet, or Microsoft Office Word document.
One feature CounterSpy lacks is a live dashboard that displays the current state of spyware in your network. A live dashboard lets you take direct action or even override a policy setting—to quarantine a discovered threat, for example, or delete a quarantined item from a past scan. CounterSpy also lets you select multiple items in some but not all cases, such as when cleaning out the quarantine. Although manageable for smaller networks, these little annoyances become magnified in enterprise deployments.
Summary
CounterSpy Enterprise 1.5
PROS: UI makes configuration and scanning a snap; supports AD for getting lists of clients; easy client installation
CONS: Lack of a dashboard makes it difficult to get an overall assessment after a scan; reports accumulate threats over multiple scans, which can be misleading; cumbersome quarantine management
RATING: 3.5 out of 5
PRICE: $1800 for 100 seats, $11,000 for 1000 seats.
RECOMMENDATION: A good pick for enterprises on a budget.
CONTACT: Sunbelt Software * 888-688-8457 * http://www.sunbeltsoftware.com |
Trend Micro Anti-Spyware Enterprise Edition 3.0
Systems administrators will feel right at home managing the Trend Micro Anti-Spyware Enterprise Edition (ASEE) infrastructure, which uses the familiar Microsoft IIS or Apache Web server service as its front-end application server and a MySQL back-end database. The use of these technologies eases integration into larger companies that are already familiar with them.
Small offices or gadget-happy administrators might prefer the granular features found in other products, but administrators seeking a solid "set it once and forget it" product will find ASEE appealing. Although ASEE is a standalone product, it snaps into Trend Micro's Control Manager enterprise framework. One drawback is that ASEE can provide certain ancillary functions, such as alert notification, only through the Control Manager framework.
Installation takes just a few minutes, after which you can begin to create policies, manage clients, and start scans, all from a Web browser. Using a Web browser means that you can run the administrative console from anywhere in your network, but ASEE's Web application feels dated compared with the UIs of the other products in this review. For example, every click on an item refreshes the browser and slows navigation. I also missed the ability to open shortcut menus by right-clicking and to drag and drop items.
Client behavior is determined by policies that you create. You can specify how the client should be installed and updated, define the scan type and when the scan should run, and specify whether threats should be automatically removed. ASEE lets you define one type of scan per policy—quick or full—and schedule that scan to run once or many times during the week as well as at startup. You can manually invoke a scan anytime, and you can remove threats with the click of a button. After a scan, you can create a whitelist of threats that you don't want ASEE to remove.
The My Enterprise Network tab in the administrative console presents a filterable list of servers protected by ASEE and shows your network status at a glance, including clients and threats. After a scan finishes, this tab lists in bright red the number of threats found. Drilling into the details is easy.
Click Clean All Threats, and ASEE will instruct the clients to remove spyware according to the options specified in the policy, such as whether to exclude certain spyware or to conduct a full or quick scan. If you mistakenly remove a threat that turns out to be a necessary cookie or application, you can undo the cleaning activity by restoring the system to a previous checkpoint. The restore doesn't list the specific pieces of spyware that were removed, but instead provides a timeline of scan sessions to choose from, which doesn't give much insight into the threats removed by each scan.
Trend Micro calls ASEE's real-time spyware prevention the Venus Spy Trap (VSP). The VSP prevents spyware from being run or installed. You can configure VSP centrally to allow, deny, or let the user choose whether to run an executable whose signature matches a spyware threat, but there are no configuration options beyond that. The footprint of the client is small, and it's invisible to the end user. The only evidence of a client is a process running in Task Manager and a log of activity in a Trend Micro-supplied folder. All management tasks, such as initiating scans, must be done from the administrative console. When cleaning a system, the client will occasionally prompt for a restart, which is necessary for removing some spyware. The other products in this review don't prompt for a restart even though it might be necessary to fully remove the spyware.
Register
