Anti-spyware best practices, like anti-virus (AV) best practices, begin with a layered defense configuration that covers desktops and the gateway (see figure1).

The Internet gateway is the ideal place to stop spyware. Unlike desktop anti-spyware, gateway anti-spyware is a proactive measure. The main task is to prevent spyware from entering the network and installing on individual computers. This is in fact not a new idea. A key lesson from AV deployments is that the gateway is a strategic point from which to scan Internet traffic and protect an entire network against Internet-borne malicious software. In the same way, if spy programs can be stripped out of Internet traffic at the gateway, before they can install themselves on desktop computers, then the threat of spyware may be substantially reduced.

Gateway Anti-Spyware Requirements

Real-world spyware attacks also suggest certain gateway anti-spyware requirements. The first and most important requirement of gateway anti-spyware is real-time scanning performance. If a product cannot deliver real-time performance, then it cannot scan large volumes of web traffic for spyware. If it cannot scan enterprise-class web traffic, then it cannot truly protect against spyware, since web traffic is one of the main vectors of spyware attacks. So in this case, it is no longer a matter of a trade-off between security and performance. An organization must have both. High performance is necessary if there is to be any gateway protection against spyware.

After real-time performance, a second requirement of gateway anti-spyware is comprehensive Internet traffic coverage. All major avenues of Internet traffic must be scanned for spyware. In the past, it may have been sufficient to cover only one major Internet protocol such as SMTP for email traffic. Today however, spy programs do not limit themselves to SMTP email. They attack through multiple protocols, including HTTP, POP3, IMAP, FTP, and even HTTPS. Note that coverage of web and email traffic by separate gateway products may introduce security gaps when certain varieties of spyware attack simultaneously through both web and email vectors. Gateway anti-spyware therefore must scan web, email, and other Internet traffic to ensure that spyware does not infiltrate the network through unprotected vectors or gateway security gaps.

A third requirement is comprehensive signature coverage. A signature library must include all known spyware and, more broadly, all known malware. Some anti-spyware vendors count every variation of a given spyware as a separate instance of spyware and in order to claim extensive spyware libraries. Spyware signatures should be comprehensive and range from adware-types of spyware to Trojan horse and backdoor spy programs, password tools, and hacker tools. Note also that some signature libraries are actually open-source collections that cover less than half of all known spyware and malware.

Moreover, these open source libraries raise the critical issue of who is responsible for delivering timely emergency signature updates when new spyware or malware attacks. Since spyware is often part of a blended malware attack, the library should include not only spyware but also all known malware ranging from traditional viruses and worms to the newest Trojan horse spyware and spyware worms.