- Insider threat looms large in San Francisco
- Woman fired over death threat
- IT admin pleads not guilty
- Tape storage gets more dense
- Top 10 worst uses for Windows
News | Newsletters | Podcasts | Chats | Opinions | RSS Feeds | This Week In Print | IT Careers | Community | Reports | Downloads | Slideshows | New Data Center
Partner Sites:App Performance | On Demand Security | Networking Solution | SOA | Value of WDS
Because spyware installs and operates over Port 80, it passes onto computers without notice from the current generation of firewalls, says John Pescatore, vice president of security research for Gartner.
Anti-virus/firewall packages that do sweep http traffic over Port 80 for spyware patterns include Fortinet Fortgate, McAfee Internet Security Suite, Norton Internet Security 2004 and Trend Micro's InterScan Web Security Suite for Windows.
Neither Trend Micro nor Symantec offer spyware detection on an enterprise level. Norton's consumer product contains 313 spyware definitions, and Symantec plans to release the same capability in its enterprise software by end of the first quarter.
Intrusion detection isn't the correct way to scan for spyware because it relies on attack signatures instead of traffic pattern analysis, users and analysts say.
"It's hard to catch spyware by looking for exploit signatures because it installs on desktops through ActiveX plug-ins and browser helper objects," says Jeff Horne, researcher for Internet Security Systems, which makes RealSecure intrusion-detection software.
"Spyware changes on a day-to-day basis. You'd need a team of researchers writing signatures every day and still you wouldn't be able to keep up the signature files," he says.
Instead, he says, you need pattern recognition to capture new forms of spyware. Take, for example, a spyware program called Trickler.
Trickler downloads tiny bits of spyware over hours or a day and gathers itself into a client. "You see this executable going out and trying to grab another executable and so on. Heuristic [pattern recognition] would recognize and put a stop to that," he says.
Rss FeedRss Feed
Rick Cook has written thousands of articles, and that means what--- he knows "Microsoft Word"? Phaseit?...- Anonymous
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 |
Copyright © 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask to prospective vendors to get the right endpoint solution.
Download the white paper.
Unauthorized applications: Taking back control
Employees installing and using unauthorized applications like IM, VoIP, games and peer-to-peer file-sharing applications cause many businesses serious concern. How do you control these applications?
Download the white paper.
Comments (1)
RE: How to filter Port 80 trafficBy danyal on November 19, 2007, 11:17 pmmy connection is slow i don know why? my speed connections is adsl 2m enterprise static ip , i thins i bean traffic by hackers, any selutions about my problem.
Reply | Read entire comment
View all comments