New Generation Of Anti-Spyware Targets Network Safety

ADVANCES AT THE GATEWAY

Anti-spyware protection is also making its way to the network gateway. Several products, including Trend Micro's InterScan Web Security Suite, SurfControl's Web Filter, and Blue Coat Systems' ProxySG, can scan incoming Web traffic for spyware and adware. These gateway products also prevent end users from surfing to known spyware or adware sites and can stop adware or spyware on a PC from connecting to a remote server on the Internet. In addition, Trend Micro's InterScan can deploy an anti-spyware cleaner in an ActiveX control to clean desktops that have spyware or adware programs attempting to access the Internet.

Denver Health's Pelot turned to Blue Coat's gateway solution to protect approximately 50 PC kiosks deployed around the hospital. Adware and spyware infestations affected the performance of the PCs at the kiosks, which are used by doctors and other staff to track patient care and send prescriptions to the hospital pharmacy.

Pelot says before deploying Blue Coat, doctors might spend two minutes simply waiting to log on to the PC. With doctors seeing as many as 200 patients a day, they had little tolerance for poor-performing machines.

After testing the product, Pelot was satisfied enough to deploy it full time. "Depending on what a person is doing on the Internet, we may have to clean one or two machines. But the problem has virtually disappeared," he says.

Note that all gateway products suffer the same drawback--mobile users have no protection outside the corporate environment. Thus, enterprises with mobile workers should augment gateway solutions with a desktop-resident agent.

BEHAVIOR BLOCKING AT THE GATEWAY

Blue Coat and other gateway solutions rely on signatures, which means new or unknown programs can still slip by. Security gateway vendor Finjan Software says that's not good enough.

Finjan offers a pair of appliances--Vital Security and a standalone anti-spyware version of it--that performs behavioral analysis of active content at the gateway. It compares the intended behavior of the active content--such as ActiveX controls, VBScript, JavaScript, or Java applets--with the content behavior policy defined by the enterprise.

For example, a customer may set a policy that prevents JavaScript or ActiveX controls from having access to file systems or registries on the desktop. The Finjan gateway will block active content that includes such capabilities.

Finjan's gateway doesn't create a sandbox to run the code inside. Instead, virtual scanners built into the gateway decompile each type of active content, examining commands and programmatic sequences to understand what the content will attempt to do when it executes. The result is that the gateway can detect new or unknown malicious programs and prevent them from infecting enterprise desktops.

The product will introduce some latency to Web transactions, but Finjan declined to offer any figures. According to the company, the appliance does support load balancing to improve performance.

Finjan also recently announced that Microsoft had licensed several of Finjan's patents regarding its proactive content security used in the gateway. The patents will allow Microsoft to develop technology for preventing new and unknown attacks. Microsoft has also become a minority shareholder of Finjan.

Nick Sears, president of U.S. operations at Finjan, wouldn't say whether the deal was a prelude to an acquisition, but it does underscore the growing interest in prevention-oriented solutions. "The market is warming up to the notion that existing signature-based solutions aren't providing adequate malware prevention," says Sears. "Customers are looking to alternative solutions."

Technology Editor Andrew Conry-Murray can be reached at [email protected].