The Client Service Settings window displays.
Draft August 15, 2005 10. Enter or select the information and click Next.
CommAgent Polling Interval Client Service IP How often you want installed CommAgents on each client workstation to check for updates and for schedule and configuration changes from your server. Enter the IP address or host name that the client workstations will use to communicate with your company server. For IP resolution, select the IP address of the network interface card (NIC) visible to client workstations. For host name resolution, enter the fully qualified domain name of your server (requires a properly configured DNS environment). Port on your company server that the Client Service will use to communicate with your client workstations. The default port is 50000. Be sure that the port you use is not used to communicate with another system.

Client Service Port

The E-mail Settings window displays.
11. Enter or select the information and click Next.
E-mail Host Fully qualified domain name for your e-mail server used for outgoing mail (SMTP server). If you do not have this information, enter NA and edit the information from the Admin Console. E-mail address that notification messages will come from. Must be a real e-mail address in the format: tom@webroot.com. Amount of time the Admin Console will wait to connect to the mail server before timing out.
From Address Message Timeout
The SMTP Settings window displays.
12. Enter or select the information and click Next.
Use SMTP Login User Name for SMTP Password for SMTP If you use a secure SMTP e-mail server, select this option and enter the user name and password below. Name needed to log in to a secure SMTP server. Password needed to log in to a secure SMTP server.
The Client Settings window displays.
13. Enter or select the information and click Next.
Tray Icon Setting Select how you want Spy Sweeper to appear on client workstations. You can change this setting from the Admin Console by selecting Manage Desktop Applications > Spy Sweeper > Configure Spy Sweeper > Sweep Settings. Displays a system tray icon that end users can double-click to display the Spy Sweeper window and automatically pops up the window whenever a sweep starts, whether scheduled or using Sweep Now.

Pop up on Scan

Default and recommended setting. Displays a system tray icon that end users can double-click to display the Spy Sweeper window, but does not pop up the window whenever a sweep starts. From this interface, end users can start their own sweeps and adjust any allowable settings. When a sweep is running, the tray icon will animate to show that Spy Sweeper is sweeping their system. Does not display a system tray icon and does not do anything when a sweep starts. End users have no access to the Spy Sweeper window to use options that are set as editable in the Admin Console.

The SpySweeperSetup.msi client installation program defaults to visible installation where you see a progress bar and receive feedback when the installation is complete. For information about using different installation options, see Client Installation Options on page 31. The CommAgents contact the Client Service on your company server, as displayed in the Client Service Settings in the Admin Console (Admin Tasks > Settings, Network section), to look for product updates and configuration changes. If updates are available, the CommAgents access the updates from the distributors assigned on the Assign Distributors panel in the Admin Console. If no other distributors are assigned, the company server (the default distributor) passes updates to the client workstations. Client workstations poll the company server at random intervals within 20 seconds of installation. During the first contact, the CommAgent also provides the name and MAC address of the client workstation and automatically adds the client to a default group. For more information, see Managing Groups on page 44. Once you set up the client workstations and they have polled the company server, you can change the groups, if needed. You can also schedule sweeps and change sweep settings based on groups. For more information, see Chapter 3, Setting Up the Webroot Enterprise Server on page 37.
Client Installation Options
You can use the following options in your logon script when you set up client workstations: If you would like to use a silent installation, add the /q switch in the line that executes SpySweeperSetup.msi. The installation program defaults to visible installation where you see a progress bar and receive feedback when the installation is complete. The syntax is:

SpySweeperSetup.msi /q

Draft August 15, 2005 You can specify the server IP address and port in the command line instead of relying on the.ini file. The syntax is:
SpySweeperSetup.msi SERVERIP=10.10.10.10 SERVERPORT=50000
For a silent installation:

SpySweeperSetup.msi /q SERVERIP=10.10.10.10 SERVERPORT=50000
You can also pass the client deployment setting. This setting should go after the /q switch if you are using that: Pop up on scanRUN_CLIENT_AS=0 Stay minimizedRUN_CLIENT_AS=1 Stay invisibleRUN_CLIENT_AS=2

The syntax is:

SpySweeperSetup.msi /q RUN_CLIENT_AS=1 SERVERIP=10.10.10.10 SERVERPORT=50000
You can apply any of these command line arguments to the SpySweeperSetup.exe installer (which is used for installing on systems lacking the 2.0 version of Windows Installer). The syntax is:
SpySweeperSetup.exe /q RUN_CLIENT_AS=1 SERVERIP=10.10.10.10 SERVERPORT=50000

Example Logon Script

Below is an example logon script. You have to adjust it for your setup and network environment. You have to put the script on your domain controllers or logon servers, then assign it so that it executes when a workstation logs in to your network. This script assumes that you have a shared drive on your network that contains the SpySweeperSetup.msi and SpySweeperSetup.ini files. Typically, these files are in the C:\Program Files\Webroot\Enterprise\Server\Client folder of the system where the Webroot Enterprise Server has been installed. Copy the client files to the network share of your choice, then adjust the script to meet your share path. Also be sure to give all workstations read and execute access to the share.
@echo off REM Check to see if clients are installed on the local machine, if they are then display a confirmation REM message otherwise install the client package and display a message REM Check to see if the Enterprise CommAgent is installed, if not go to install otherwise go to check if exist "C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe" goto check if not exist "C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe" goto install REM Check to see if Enterprise Spy Sweeper is installed, if not go to install otherwise go to loaded :check if exist "C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperTray.exe" goto loaded if not exist "C:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperTray.exe" goto install 32 2: Installing Webroot Enterprise
REM Display an install message, execute the client setup package from a shared network drive and then go to end :install echo Loading Webroot Enterprise Clients. "C:\Program Files\Webroot\Enterprise\Server\Client\SpySweeperSetup.msi" goto end REM If the clients are already installed then display the following message :loaded echo Webroot Enterprise Clients are already Installed :end
Uninstalling Spy Sweeper from Client Workstations
You can uninstall client workstation components using the Admin Console from the Client Deployment panel (Admin Tasks > Client Deployment). Select the client workstation and click Uninstall Client. You can most easily uninstall clients that were deployed from the Client Deployment panel using this method. If you need to uninstall one of these clients manually, you need to browse to a folder containing the SpySweeperSetup.msi file on your network. Double-click SpySweeperSetup.msi and select Uninstall. You cannot uninstall the client using Windows Add/Remove programs feature.

4. Enter a name for the distributor server. If you enter the DNS name of a server on your network, the IP address automatically populates when you tab to the second field.
5. If necessary, enter the IP address of the server. 6. Click OK. The server name now displays in the list on the right side of the panel.
Draft August 15, 2005 7. Drag a server from the list to a group or to the company in the group tree. To remove a server assignment, select the server in the group tree and click Unassign Distributor. To update the status of the distributors, click Refresh. To remove the selected distributors from their assignments and from the list of distributors, click Delete Distributors. Your company server will automatically send copies of all updates to all distributors. You still need to assign updates manually (from Spy Sweeper >Update Spy Sweeper >Manual Install) or set automatic installation rules (from Spy Sweeper >Update Spy Sweeper >Auto Install) to determine which updates should be applied to which groups.
Changing the Distributor Server Port
By default, a distributor server listens to port 50003.
If you need to change a distributor server to listen on a different port, you can do so. However, the port on each distributor server must be the same as the port used on the company server for the Distributor Service. For information on changing the local distributor port on the company server, see Changing the Distributor Service Port on the Company Server on page 41. The Admin Console service on your company server also uses the same port.
To change the distributor server port: 1. On the distributor server, create a backup copy of the following file: C:\Program Files\Webroot\Enterprise\Server\WebServer\etc\jetty.xml 2. Edit the original jetty.xml file with Notepad or another text editor. 3. Change the jetty.port attribute inside the addListener block from the default port of 50003 to the new port. 4. Open regedit and browse to: HKEY_LOCAL_MACHINE\Software\Webroot\Enterprise\Server\. 5. Enter a new string Value named: DistributorPort. Be sure to capitalize the letters D and P.

Ports: No SSL and SSL (Client Service Settings)
Field Poll Now Ports: No SSL and SSL (Client Settings) Description Port on your company server used to poll the selected client workstations from the Admin Console to update their heartbeat and status. The default port is 50002. Be sure that the port you use is not used to communicate with another system. Fill in one or both fields with the port you want to use. If you want to use SSL, you must also select teh Use SSL option at the bottom of the Network section. Use SSL If you want to use SSL connections for the ports listed above, select this option. Note: Selecting this option means that all of the ports with the SSL field will use SSL. Be sure to fill in the SSL field for each por above. Database section Server Type You cannot change the type of database after installation. The information in this section is read-only.

3. Click Apply.

Changing the Distributor Service Port on the Company Server
The Distributor Service on your company server uses port 50003 by default to distribute updates to your distributor servers and client workstations.
If you need to change this port, you must complete the procedure below. However, the port on each distributor server must be the same as the Distributor Service port on the company server. For information on changing the port on the distributor servers, see Changing the Distributor Server Port on page 35. Be sure that the port you use is not used to communicate with another system. The Admin Console service on your company server also uses the same port. To change the Distributor Service port on the company server: 1. From the Admin Console function tree, select Admin Tasks > Settings. The Settings panel displays, with several sections of settings you can view and edit.
2. Click the Network show/hide bar. 3. Change the port under Local Distributor Settings. 4. Click Apply. 5. Log out of the Admin Console. 6. On the company server, create a backup copy of the following file: C:\Program Files\Webroot\Enterprise\Server\WebServer\etc\jetty.xml 7. Edit the original jetty.xml file with Notepad or another text editor.
Draft August 15, 2005 8. Change the jetty.port attribute inside the addListener block from the default port of 50003 to the new port. 9. Restart the Webroot Admin Console Service. 10. Access the Admin Console using the new port number. 11. From the Admin Console function tree, select Webroot Enterprise Dashboard > Server Status. The Server Status panel displays.

Option Messenger Service Startup Type Description If you turn the Messenger Shield off, after having turned it on, this option controls the state of the Messenger Service Startup Type when the Messenger Shield is off.
If you turn the Messenger Shield off, after having turned it on, this option Leave the controls the status of the Messenger Service when the Messenger Shield is Messenger Service Running off. when Messenger Shield Is Turned Off Alternate Data Stream (ADS) Shield (Applies only to Windows NT, 2000, and XP.) This option actively watches for programs that try to start from an alternative data stream (ADS). ADS is a highly technical way to hide images, data, or code in a file and can be used to hide malicious code. The hidden content is impossible to detect using regularly-available tools, such as Windows Explorer. Turning on this shield stops a program from starting if it tries to start from an ADS.
Internet Explorer section Tracking Cookie Actively watches for tracking cookies as you visit Web sites and removes them. Tracking cookies are cookies that can track your Web activities. Shield On These may include cookies that contain user names, passwords, or similar information that you enter on some Web sites. IE Hijack Shield Actively protects various Internet Explorer functions, such as the home page, search page, error pages, and other default pages that Internet On Explorer displays. Some spyware changes (hijacks) these pages without letting you know. Whenever spyware tries to change these pages, Spy Sweeper blocks the change. Protected Home Page Enter the Web address of the Web site you want as the home page in the format: http://www.webroot.com When you enter a home page, the home page you enter will replace the end users existing home page. End users will only be able to change their home page through the Smart Shields >Internet Explorer panel in Spy Sweeper. If the Tray Icon Setting (Manage Desktop Applications > Spy Sweeper > Configure Spy Sweeper > Sweep Settings) is set to Stay Invisible, end users will not be able to change their home page. Hosts File Shield This option actively prevents changes to the Hosts file. Some spyware will add or change the IP address for a Web site in the Hosts file. When you try On to go to the added or changed Web site, you will really go to a different Web site, such as an advertising site. This shield ensures that spyware does not change an IP address in the Hosts file. If end users are permitted to edit the Hosts file, do not turn this shield on. Keep Hosts File Read-only IE Favorites Shield If you turn the Hosts File Shield off, after having turned it on, this option controls the state of the Hosts file when the Hosts File Shield is off. This actively protects Internet Explorer favorites. Whenever a Web site tries to change favorites, Spy Sweeper stops the Web site from making the change. Some Web sites add entries to IE favorites without letting the user know. Users can still add to favorites in the normal way in IE.

Startup section

Option Startup Shield On Description Actively watches startup items for any changes. Some spyware will add startup items, so that the spyware will always start. This shield ensures that spyware does not add something to the startup items, but also effectively prevents end users from installing software. Be sure that your users do not need to install new software before selecting this shield or set this shield to user editable and instruct users to disable the shield before installing software. You can set up a whitelist of applications that your users need to install and startup with Windows. Spy Sweeper will not block the applications in the whitelist. To add an application to the whitelist, enter the.exe file name in this field and click Add. You can also enter the entire run key that will be added to the registry for the application. Startup Shield Whitelist Common Ad Sites section Blocked Websites Shield On Adds a list of known advertising sites to your Hosts file and sets the IP address for those sites to the IP address for your computer. This blocks banner and other advertising from these sites. When you go to a Web site that has advertising from one of the blocked sites, you may see a small graphic that indicates a broken link to a graphic (typically a red x in a box). This just shows where the blocked ad would display. Uses the list of known advertising sites that comes as part of the Spy Sweeper definitions to block banner and other advertising from the sites on the list. Displays the list of applications that Spy Sweeper will not block from installing and adding to the Windows startup list. To change or delete an application, select it and click Modify or Delete.
Enter/Edit Application Not to Block
Use Webroot Spyware Definitions
Use Custom List Uses the list of sites that you added below to block banner and other advertising from the sites on the list. Enter/Edit Website to Block Common Ad Websites Spy Installation section Spy Installation Shield On Actively watches for known spyware that tries to install itself on your computer. Whenever known spyware tries to install itself, Spy Sweeper stops the installation. You can add executable file names to the list, and this shield will stop the file from executing on the client computer when a user tries to start a specific application. For example, you could add a file sharing application that you do not want to let company personnel use. To add an application, enter the file name in the text box and click Add. Additional Blocked Applications Displays the of blocked applications you have added. To change or delete an application, select it and click Modify or Delete. You can add to the list of blocked sites. To add a site, enter the site address in this field and click Add. Displays the of Web sites you have added. To change or delete a site, select it and click Modify or Delete.

Registry

Tray Icon Pop up on Scan
Allow Users to Cancel Sweeps Close Internet Explorer after Sweeps
Option Enable Manual Mobile Client Definition Updates Description Select this option if you have end users who use laptops and travel a lot. This option lets them receive Spy Sweeper definition updates directly from Webroot by clicking a button when they are connected to the Internet. For more information, see Setting Up Updating for Mobile End Users on page 63. Enter a password that lets system administrators access and change Spy Sweeper settings when you are working at a client workstation. For more information, see Unlocking Functions at a Client Workstation on page 63.

Client Password

4. If you want end users to be able to change a setting, select the User Editable option. 5. Click Apply. Spy Sweeper will use these options when running sweeps. To change the settings for one group to be the same as the settings for the whole company, select the group in the group tree and click Revert to Company Settings.

Setting Up Sweep Alerts

You set Spy Sweeper to send e-mail alerts to specific people when it detects different types of spyware. Before you can set up e-mail alerts, you must enter one or more notification recipients. For more information, see Setting Up Notification E-mail Addresses on page 42.
To set up sweep alerts: 1. From the Admin Console function tree, select Manage Desktop Applications > Spy Sweeper > Configure Spy Sweeper > Alert Notifications. The Alert Notifications panel displays with the available alert types and notification recipients.
2. Drag the name of a notification recipient to the alert tree. To remove a recipient from an alert type, select it and click Unassign E-mail Address. Spy Sweeper will use these settings to send alerts when it detects spyware.

Running Sweeps

You can run sweeps the following ways: Run a sweep now (see page 57) Schedule sweeps (see page 57) Run a sweep in safe mode (see page 58)
You can also view and stop sweeps that are running. For more information, see Viewing and Stopping Sweeps on page 60.

Running a Sweep Now

Updating Spy Sweeper

Your company server checks with the Webroot Update Server for any available server updates, client program updates, and definition updates. You configure the frequency of this check using the Webroot Server Polling Interval field, which is on the Basic section of the Settings panel (Admin Tasks > Settings). If you want server component updates to install automatically as soon as they are downloaded, select the Automatically Install Server Updates option in the Basic section. If this option is not selected, you must manually install server updates by executing the setup batch file contained in each server update folder. Updates for the client Spy Sweeper program and definitions download whenever your company server contacts the Webroot Update Server, but they do not install automatically. You must either manually install them or set up automatic installation rules at the company or group level. You can set up and do the following related to the distribution of Spy Sweeper updates: Install updates manually (see page 61) Install updates automatically (see page 61) Set up notification (see page 62) Set up updating for mobile end users (see page 63)
Installing Updates Manually
You can install updates manually whenever you receive notification of an update. For information about setting up notification, see Setting Up Update Notification on page 62. You may want to use manual updates for major and minor updates as well as bug fixes and new products. This gives you the chance to install these updates on a few client workstations to see how they work before deploying them to many users.
Release 2.5 includes a change to the format of the spy definitions. Until you upgrade all of your client desktops to the 2.5 release, you must apply the release 2.1 definition format to older client desktops and the release 2.5 definition format to upgraded client desktops. You can manually install updates by group or for the whole company.
To install updates manually: 1. From the Admin Console function tree, select Manage Desktop Applications > Spy Sweeper > Update Spy Sweeper > Manual Install. The Manual Install panel displays with the available updates and group tree.

Table 10 shows the points Spy Sweeper assigns to found threats
Table 10: Points assigned to found threats Threat Trojan horse System monitor Adware Other Points 1 1
To view the Top Spyware Threats: 1. From the Admin Console function tree, select Webroot Enterprise Dashboard > Top Spyware Threats. The Top Spyware Threats panel displays.
2. Click Refresh to update the status based on the latest polling data from each client workstation. To see more information about a specific spyware item, select it in the list and click Details. To export the data from either list of client workstations, click Export All or select the workstations you want to include and click Export to Excel. You can select more than one workstation by using Ctrl or Shift as you select workstations. If you want to change any sweep or other Admin Console settings for one or more client workstations in either list, select the workstations and click Poll Now to tell the client workstations to poll and get the new settings immediately. If you want to sweep one or more client workstation in either list, select the workstations and click Sweep Now.
Viewing the Server Status
The Dashboard Server Status panel lists the latest downloaded software and definition versions, the current port settings, and the Webroot services status for the company server.
To view the Server Status: 1. From the Admin Console function tree, select Webroot Enterprise Dashboard > Server Status. The Server Status panel displays.
2. Click Refresh to update the status. 3. If a service is not running, click Start to start it. All listed ports should be open. If one is not, check your firewall and proxy settings.

Viewing License Status

The Dashboard License Status panel lists your license expiration date and shows your license status:
Webroot Enterprise System Administrator Guide 69
Critical (red)One or more licenses has expired or will expire within 30 days. Moderate risk (yellow)One or more licenses will expire within 60 days.
To view the License Status: 1. From the Admin Console function tree, select Webroot Enterprise Dashboard > License Status. The License Status panel displays.
2. Click Refresh to update the status.
Viewing Update History and Installed Versions
You can view the following information about updates and installed applications: Update historyList of updates downloaded from the Webroot Update Server. (See page 70.) Installed applicationsList of versions installed by client workstation. (See page 70.)

Viewing Update History

You can view a history of when Webroot Enterprise Server and Spy Sweeper client updates were downloaded from the Webroot Update Server.
To view the update history: From the Admin Console function tree, select Status > Update History. The Update History panel displays with a list of all of the updates downloaded to date.

IP and Name Examples

Syntax GROUPNAME, IP, 10.10.10.10 GROUPNAME, IP, IPLOW-IPHIGH GROUPNAME, IP, 10.* GROUPNAME, IP, 10.10.* GROUPNAME, IP, 10.10.10.* GROUPNAME, IP, 10.10.9* GROUPNAME, IP, IP/bits GROUPNAME, IP, IP/netmask GROUPNAME, NAME, workstationname GROUPNAME, NAME, mktg* Description For a single IP address For a range of IPs 10.70.96.1 - 10.70.99.254 All workstations with an IP starting with 10. All workstations with an IP starting with 10.10. All workstations with an IP starting with 10.10.10. All workstations with an IP starting with 10.10.9 bits = CIDR bits for Classless Inter Domain Routing netmask = netmask in the form 255.255.252.0 workstationname = single workstation name All workstations with names beginning with mktg
Active Directory Rule Format
Supported platforms for Active Directory rules are: Windows 2000 Active Directory SP 4 or later Windows 2003 Windows SBS
GROUPNAME;ADS;BIND_DN;User;Pass;Filter;$RULENAME;RULEPARAM1;RULEPARAM(n) Parameter GROUPNAME or $RULE= Description This is the name of the group that will be created for workstations matching this rule. There are two valid formats for this parameter: GROUPNAMESimply the name of the group that you want to add workstations to. $RULEThe literal string $RULE which denotes that the group name is created as the result of an Active Directory rule that is specified by $RULENAME (below). This is the name of an organizational unit within Active Directory. ADS= Bind_DN= User= Pass= Filter= Indicates that this is an Active Directory rule. The Lightweight Directory Access Protocol (LDAP) URL defining the base DN to bind the filter search to as defined in RFC2255. The name of the user account to access the ADS. The encrypted password for the user, as plain text, created by GroupAssignmentPass.exe. The format is: OBF: 12A79DF36EE. The LDAP filter to filter workstations that this group might be a member of, as defined in RFC2254.
Parameter $RULENAME= $RULEPARAM1= Description The name of the rule to be applied. Supported $RULENAMES are: TOP_OU or BOTTOM_OU. The parameter to pass into the rule that is provided by $RULENAME. Supported $RULEPARAM1 for TOP_OU or BOTTOM_OU. The CN of the top or bottom DN to use as group automatic name generation (for example, OU, L, G).
Active Directory Rule Example
[Groupname or $RULE];ADS;LDAP://servername/DC=EnterpriseLab,DC=local; elab\joeshmoe;OBF:12A79DF36EED12F;(&(objectclass=computer)(CN=FP*));BOTT OM_OU;DC
Processing this rule: 1. When the tool is run and this rule is encountered, this rule will be applied to each workstation in the Webroot Spy Sweeper Enterprise (SSE) database that meet the rule criteria. 2. The workstation is looked up by hostname of the ADS and the Computer object returned (using user,pass). 3. The DN is inspected for the highest (Top) or lowest (Bottom) OU that is found specified by the rule. 4. This DN is converted in to an SSE safe group name (contains only characters allowed in group names). 5. This group is created if it does not exist but only if the -G switch is set. 6. If the group does not exist and the -G switch is not set, the software reports this condition and continues processing the next rule. 7. The workstation record is updated to reflect this new group, if it is not already set properly. 8. A log of all actions is created.

* If you use SQL Server, then the value for DBISAM should be set to 0. UseDBISAMDatabase= 0=Turn
* If you use DBISAM, then the value for SQL Server should be set to 0. DBPath= Provider= Password= Persist Security Info= User ID= Initial Catalog= Data Source= DBISAM Setting only. The standard location on your Admin Console server is: C:\Program Files\Webroot\Enterprise\Server\ReportingTools\DB Your SQL Server provider name, typically set to: SQLOLEDB.1. Your SQL Server password. 1=True, 0=False. SQL Server user ID. Set to the SQL Server SQL database name. Set to the SQL Server local default instance server name or named instance.

Running SSEReporter.exe

Usage: SSEReporter [-r reporttype][-m domainfilter][-w workstation]
[-s startdate][-e enddate][-o outputoption] [-f filename][-b watermark]

Parameter Details:

Parameter -r <reporttype> Description Type of report. Options are: summarySummary of all infected workstations. detailDetailed spy information for all workstations. historyspySpy history for a single workstation. historystatusVersion information from workstation scans. threatsSummary of top threats found. -m <domainfilter> -w <workstation> Domain selection filter for the report. Regular expression search tokens are used. Name of a particular workstation used for workstation history reports. Regular expression search tokens are used. You must use quotes around any workstation name that includes a white-space character. Starting date for report (format mm/dd/yyyy). Ending date for report (format mm/dd/yyyy). Output type. Options are: text, printer, pdf.
-s <startdate> -e <enddate> -o <outputoption>
Parameter -b <watermark> Description Enables a background watermark on the report. This option is valid for printer output only. Options are: topsecret, secret, classified, and unknown. Examples are at the end of this document. Fully qualified path and file name for the output file. This option is only necessary if the -o option is set to text or pdf (Adobe Portable Document Format). You must use quotes around any file name or path element that contains white-space characters.

-f <filename>

Examples:
SSEReporter.exe -r detail -s 2/20/2004 -e 5/05/2005 -m "%Top%" -o text f "C:\Results Dir\output.txt" SSEReporter.exe -r summary -s 2/20/2004 -e 5/05/2005 -m "%Top%" -o text f C:\tempoutput.txt SSEReporter.exe -r historyspy -s 2/20/2004 -e 5/05/2005 -m "%Topdatafield,middatafield%" -w "WW-6042FHGZN437" -o printer -b classified

Sample Reports

Summary Report

Detail Report

Spy History Report
Workstation Version History

Top Threats

A Add Group button 44 Add User button 47 Additional Blocked Applications list 53 Admin Console configuring server settings 37 defined 4 installing 4 managing users of 47 understanding 3 understanding the main window 29 updating 38 viewing user audit logs 47 Advanced section 39 alerts, setting up for sweeps 56 All Folders on Selected Drives option 55 Allow Users to Cancel Sweeps option 55 Alternate Data Stream Shield (ADS) option 52 Always Keep list 50 applications viewing errors from client workstations 71 viewing installed by group 70 viewing update history of 70 assigning distributor servers 33, 34 audit logs for Admin Console users 47 Automatically Install Server Updates 39 B Basic section 38 Blocked Websites Shield On option 53 C canceling sweeps 60 changing the port for distributors servers 35 Check for Updates button 38 client components example logon script 32 installation options 31 client components, installing 28, 29, 30 Client Password field 56 Client Service defined 4 installing 4 Client Service IP field 14, 19 Client Service Port field 13, 19 client workstations Webroot Enterprise System Administrator Guide
adding to groups 44 creating reports about 45 deleting 46 example logon script 32 managing 43 options for setting up 31 polling now 46 removing from groups 44 setting up 28, 29, 30 uninstalling Spy Sweeper from 33 unlocking Spy Sweeper functions at 63 viewing application errors from 71 Close Internet Explorer after Sweeps option 55 Close Windows Explorer after Sweeps option 55 CommAgent Polling Interval field 19 CommAgents defined 4 installation options 31 installing 4, 28, 29, 30 viewing heartbeat status of 71 viewing update history of 70 Common Ad Websites list 53 Company Name field 17, 38 company server status, monitoring 69 configuration examples 6 configuring sweeps 54 Consolidate Alerts field 39 continuous monitoring, setting up 51 conventions, typographic 1 creating reports about client workstations 45 customer support 2 D Dashboard Definition Status panel 67 icons defined 65 Infection Status panel 67 License Status panel 69 Refresh button 65 reviewing 65 Server Status panel 69 status bar 65 Sweep Status panel 66 Top Spyware Threats panel 68 database migrating from DBISAM to SQL 77 99
setting up SQL 11 Database section 41 database, recommendations about selecting type 5 DBISam option 21 DBISAM, migrating from 77 Definition Status panel defined 67 icons in 67 definition status, monitoring 67 definitions updating 60 updating automatically 61 updating for mobile end users 63 updating manually 61 Delete Group button 45 Delete Workstations button 45, 47 deleting client workstations 46 Deploy Client button 30 distributor servers assigning 33, 34 changing the default port for 35 how they work 6 installing 33 recommendations about number to use 5 removing 34 unassigning 34 updating process 8 distributors defined 5 installing 5 Download Folder field 13, 38 E E-mail Host field 13, 19 E-mail Recipient field 40 E-mail section 39 Enable Automatic Mobile Client Definition Updates 55 Enable Automatic Mobile Client Definition Updates option 63 Enable In Depth Memory Scan option 58 Enable Manual Mobile Client Definition Updates option 56, 63 Enter/Edit Application Not to Block field 53 Enter/Edit Application to Block field 53 Enter/Edit Website to Block field 53 errors viewing for applications on client workstations 71 example logon script 32 Export Workstations button 45 exporting reports about client workstations 45 F file, saving reports to 72 100

www.veritest.com info@veritest.com

March 2006

Webroot Spy Sweeper Enterprise Spyware Effectiveness Testing
Test report prepared under contract from Webroot. Executive summary
Webroot, Inc. commissioned VeriTest, a division of Lionbridge Technologies, Inc., to conduct a test comparing the following Enterprise class antispyware applications: Webroot Spy Sweeper Enterprise 2.5.1 Sunbelt CounterSpy Enterprise 1.5.268 McAfee AntiVirus Enterprise with AntiSpyware Module V8.0

Key findings

Webroot cleaned 94% of all spyware tested, vs. 53% for McAfee and 26% for Sunbelt Webroot Spy Sweeper Enterprise removed 97% of System Monitors tested. Webroot Spy Sweeper Enterprise identified and removed 96% of Adware tested.
The testing was designed to focus on spyware detection and removal effectiveness.
For the purposes of this test, spyware was intended to include all varietals including system monitors, adware and Trojans. Spyware is software with a wide variety of purposes that varies as designed by spyware creators. This software is often installed on a personal computer without knowledge of the PC user. Spyware, unbeknownst to the PC user may monitor activities on the PC and glean personal information for unscrupulous third parties. Spyware may also present undesired advertising to the PC user, or even provide a means for additional undesired software to be installed. VeriTest began with a CD-ROM containing 200 individual pieces of spyware comprising system monitors, 1 adware and Trojans to be used in this test. Testing was performed over a period of four months during which time, many of the spies morphed with new variations. Each Enterprise anti-spyware application was installed to its own server, each of which had three client PCs dedicated as agents. All computers in this test were provided Internet access via a proxy server. A Snapshot was taken which included the File and Operating System configurations on each PC prior to installing spyware. After the Snapshot was taken, five individual spyware programs were installed to each client PC. The PC was then rebooted. Upon reboot, Internet Explorer was opened and a known web page was visited. The anti-spyware application was then instructed to perform an exhaustive scan with subsequent reboots and rescans if required. When the anti-spyware application indicated that there
The spyware programs utilized for this test were randomly chosen from a database of over 8000 spyware installation programs that was provided by Webroot. These spies consisted of a random mix of adware, system monitors and Trojans. 250 spies were randomly chosen from the database, 200 of which were used in the test.
Webroot Spyware Removal Effectiveness Study
were no further traces of spyware, or demonstrated no progress in removing identified spyware, an analysis of changed file and operating system configurations was performed. It is important to note that the proper analysis of spyware scanning results is critical and by its nature lends itself to misinterpretation of what constitutes a clean or not clean PC system. The single most important tool used in the analysis of the results of this spyware removal testing was the testing methodology document (Appendix A). Without having a pre-defined, concrete definition of how to interpret the scanning results it is extremely likely that the results can fall into a gray area where the results can be subject to individual opinion. The testing methodology used in this test goes to great lengths to eliminate this gray area of partially cleaned spies so that the results can only be interpreted as cleaned or not cleaned by whoever views them. In addition, the analysis of a PC after the cleaning process requires an intimate knowledge of Registry and File System components. A spyware program will often install shared applications or components that are common among legitimate software. In analyzing the log files produced during this test, VeriTest engineers took special care in utilizing their experience to identify Registry and File System modifications that are not unique to the spyware program. The result is that you may remove or break a legitimate application when attempting to remove the common component along with the spyware program. Therefore, these shared and benign components were not counted as spyware traces left behind by the anti-spyware application. In testing 200 individual spyware programs, Webroot Spy Sweeper Enterprise performed exceptionally well in detection and thorough removal of spyware traces. Though other anti-spyware applications were competent in their detection capabilities, their ability to completely remove all spyware traces was weak. Webroot Spy Sweeper proved superior to the other applications tested in effectively identifying and removing spyware. Webroot Spy Sweeper Enterprise went beyond removing the spyware infection by also removing the spyware installation file. This is critical to prevent re-infection. Individuals responsible for the security of their Enterprise PC infrastructure should take special care to ensure that the threat of future infection is eliminated by removal of the spyware installation file from the PC.

VeriTest Enterprise Spyware Test Scoring:
Scores were determined by subtracting from a total of 200 possible points, relative to the number of spyware programs tested. One point was subtracted for each spyware program noted to have not been effectively cleaned.

Total Score

- Webroot Spy Sweeper Enterprise: 187 - Sunbelt CounterSpy Enterprise: 52 - McAfee AntiSpyware Enterprise: 106 Webroot Spy Sweeper Enterprise proved to provide the most effective detection and removal of Spyware applications in this test.

105 52

Webroot Sunbelt McAfee

Points out of 200

Test Findings
Spyware Identification and Removal Effectiveness Testing Results
Of the 200 spyware applications tested, Webroot Spy Sweeper Enterprise effectively cleaned 187 spyware applications. Sunbelt CounterSpy Enterprise cleaned 52 and McAfee VirusScan Enterprise with AntiSpyware Module cleaned 106. Effective cleaning of spyware applications is critical to the security of the PC in the enterprise. As demonstrated in the graph below, Webroot Spy Sweeper Enterprise demonstrated the greatest ability to detect and remove spyware.

100% 80% 60% 40% 20% 0%

53% 26%

Webroot

Sunbelt

McAfee

Spyware Elimitated
Spyware Cleaned by Category The graph below demonstrates detection and cleaning ability based on spyware category. For the purposes of this test, spyware was grouped into adware, system monitors and Trojans. There was a total of 122 adware, 30 system monitor and 53 Trojan programs tested.

26% 53% 96%

85% 64%

10% 17%

Adware

System Monitors

Trojans
Spyware Retest Sample After all spyware applications had been tested, the VeriTest test engineer selected ten random spyware programs that all three products had failed to clean in the first round for re-testing. All spyware programs to be re-tested were selected from a list of the first 75 spyware programs installed early in the testing process. Webroot and Sunbelt software demonstrated the most significant improvement in cleaning leaving only two spyware application traces remaining.

Cleaned

Not Cleaned
These initial tests took place during the second half of November and first half of December 2005. Not only is a vast database of known spyware applications important to the Administrator, but aggressive identification of new spyware threats is equally important. In this test, both Webroot and Sunbelt demonstrated comparable rates of progress in identifying new and morphed spyware programs. McAfee fell short of Webroot and Sunbelt in this area.

CONCLUSION:

Testing anti-spyware applications for effectiveness is extremely complex. Most businesses conduct rudimentary tests with common spies that produce inconsistent results. In this robust test that spanned four months and included 200 spies, with simultaneous installations of adware, system monitors and Trojans, Webroot Spy Sweeper Enterprise significantly outperformed the Sunbelt and McAfee products by accurately identifying and effectively removing more spyware. Effectively removing 94% of spyware programs demonstrates excellent early detection and cleaning methodology. On a later rescan of spyware programs noted as not effectively cleaned early on in testing, VeriTest found that eight of ten programs were cleaned. This is an excellent improvement as many spyware programs morph or evolve, making detection and removal even more difficult. Administrators must take into account the rate at which their anti-spyware vendor identifies new threats. The aforementioned testing results are evident of a right tool for the job scenario. Webroot has proven to provide the greatest protection against spyware at the time of this testing.
APPENDIX A: Testing Methodology
Each Enterprise anti-spyware product was installed to an individual Windows 2003 Standard Edition server. Each Enterprise anti-spyware product had three client PCs dedicated as agents of that software. Each agent PC had a Windows XP Professional Operating System. All PCs and servers were provided unrestricted Internet access via a proxy server. Anti-spyware applications were allowed to update their products via the Internet at will. On each client PC, an enterprise agent was installed along with Install Watch, Regmon, Filemon and HijackThis analysis tools. InstallWatch was used to take a snapshot of File and Operating System states prior to the installation of spyware. Regmon and Filemon were configured to watch File system and Windows Registry modifications made by each group of five spyware applications installed. With analysis software in place and a snapshot of the clean PC taken, five spyware applications were installed. These applications were a random combination of spyware, malware, adware and Trojans. Each client PC had the same batch of five spyware applications installed in each group. After spyware installation was complete, Filemon and Regmon analysis data was exported for later review. The PC was then rebooted. The anti-spyware application was then instructed to perform a scan for spyware. Upon completion of the initial spyware scan the PC was rebooted and an additional scan was performed. If the anti-spyware enterprise agent or server reported additional spyware traces were found, an additional reboot and subsequent scan for spyware was performed until the agent reported no further spyware traces were found or no further progress was noted in the removal of an identified piece of spyware. When an enterprise agent reported a PC as clean, or an enterprise agent application failed to clean, InstallWatch was then instructed to compare the post infection operating system state with the clean snapshot. The analysis was then exported. HijackThis was then executed and its log was also exported. The InstallWatch analysis was then reviewed. Added file and registry modifications were examined to determine what if any spyware traces were not cleaned. Filemon and Regmon logs facilitated the identification of what spyware application made what file or registry change to the PC. The HijackThis log also facilitated ready identification of offending registry modifications such as adding URLs to Internet Explorers Trusted Zones. The new file and system modifications were compared to the Regmon and Filemon log files to conclude which spyware program was not thoroughly cleaned. A spyware program was deemed clean if any Executable, Component, or Hijackthis identified running processes or Registry entries associated with the spyware installation were not identified within logs. Upon the completion of the agent scans and the export of InstallWatch, Regmon, Filemon and Hijackthis analysis information, the PC was then restored to a clean state by restoration of a clean hard drive image. Steps in the process used in this cycle are as follows: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. Take a snapshot with Install Watch. Drag the installers from a CD to the testing machines desktop. Run Filemon and Regmon with no filters enabled. Copy dlls to the test machines System32 directory. Run the executables. Visit a well-known clean webpage such as google.com or msn.com After five minutes or a halt in activity in the Regmon and Filemon utilities, save the logs for said utilities. Reboot the test machine. Use the installed product to scan and remove any spies. Repeat Steps 8 and 9 either until no spies are detected or until consecutive scans detect the same spies. Run HijackThis and save the resulting log to an external resource. Analyze or complete the snapshot in Install Watch. Save all logs to an external resource. If it is not possible to complete the Install Watch Snapshot or save the logs to an external source, and create a substitute round of installers. Note on the results spreadsheet any spies that are clearly Not Clean.

15. Restore the test machine back to its setup state. To complete the analysis, compare the Install Watch, Filemon, and Regmon logs captured during each test group. Use the following procedure for analysis: 1. 2. 3. 4. Search the Filemon and Regmon logs for all exe and dll files that are in the Added Files log. Search the Filemon and Regmon logs for all registry keys that are in the Added Registry log. Search the Regmon log for any registry keys that shown as modified in the HijackThis log. Search the Filemon log for any processes found in memory as shown by the HijackThis log.
Use the table below by which to measure the results of a products effectiveness against a spy compared to the traces discovered using the process above; if any Dirty condition is met that spy is considered Dirty: Dirty: Clean: The Installer was not removed from the desktop or the System32 directory. Any executables or dlls on the test machine not removed that were written by any of the installed spies or executables or dlls 2 written by one of the installed spies. A process left in memory on the test machine was written by one of the spies installed or executables or dlls written by one 1 of the installed spies. 3 Any browser hijack(s) created by one of the installed spies or a file written by one of the installed spies. If none of the conditions of Dirty have been met the spy is considered Clean.
Example of analysis for one round of installers: In this example the spies CSRSS SpamRelayer, Goldfer_SpamRelayer, mspm-bot, PC Activity Monitor and Spy Software were installed. Two of these pieces of spyware are commercially available Keyloggers but the other three are Trojan horses with no consistent installation source, making it difficult to test against this type of threat unless the user has a ready database of Installers for all manner and type of threats. The product being analyzed in this instance is McAfee Enterprise AV with anti-spyware module 8.0. Following the steps of analysis, the first log to search for executables and dlls is the Added Files Log. One of the first executables found is v8install_spy_software_4_parents.exe, see Figure 1.
There may be cases when a spy downloads and installs known good software such as utilities, Winpcap for example is downloaded by several Keyloggers. Some spies may download and install Microsoft common controls for use in their GUIs, comctl32.dll and comdlg32.ocx may be used by a piece of Adware for example. Files such as these should not be considered part of a spy. 3 Examples of browser hijacks include; HKEY_CURRENT_USER\Software\Microsoft\Search Assistant DefaultSearchURL http://search.2020search.com/9894/search/redir.php?cid=shnv9894PCID=00000000000007858367&s= HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main Start Page "about:blank" http://myhomepage.capitantrash.com/ HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main Default_Page_URL "http://www.dell4me.com/mywaybiz" http://myhomepage.capitan-trash.com/

Figure 1 Installer left on machine. After reviewing the Installer CD, this is the Spy Software installer, see Figure 2. Without knowledge of what installers are present on the box it is impossible to accurately tell if a spy was cleaned or not cleaned by the anti-spyware product.
Figure 2 Installer is Spy Software Searching farther through the Added Files Log the executable fbserver.exe is found, see Figure 3. It is then necessary to search the Filemon log to determine what created this.exe.
Figure 3 Executable left on disk Searching within the Filemon log for the CREATE statement that goes along with fbserver.exe shows that the process pcastd_setup.ex created fbserver.exe, see Figure 4.
Figure 4 Filemon log Searching the Installer CD shows that pcastd_setup.exe is the PC Activity Monitor Installer, see Figure 5.

Figure 5

The next file to analyze is chp.dll, written to c:\windows\system32, see Figure 6.
Figure 6 In the Filemon Log it is found that chp.dll was written by vxgame6.exe, see Figure 7.

Figure 7

This file found on the Installer CD is the mspm-bot Installer, see Figure 8.

Figure 8

The last example is split.exe left in C:\Windows\system32, see Figures 9 and 10.

Figure 9

Figure 10
The Filemon log shows that split.exe was written by vxgamet1.exe, see Figure 11.
Figure 11 Searching the Installer CD it is found that vxgamet1.exe is the installer for Goldfer_SpamRelayer. It is often advisable to search the Internet for information concerning the files left on disk. Searching Google for the filename split.exe reveals interesting results, see Figure 12.

Figure 12

It is possible that the file left on disk split.exe is the utility mentioned in the first result. At this point, more investigation is needed such as looking at the internals of the file, running it on a clean machine, and seeing what changes it makes and what it attempts to do. If time permits, this is an advisable way to determine if this leftover file is truly malicious or if the spyware installed is putting legitimate files on the system to attempt to fool the anti-spyware software.

Method Summary

This testing methodology is a very accurate way to measure the capabilities of anti-spyware products in a controlled manner against a wide variety of threats. To get this kind of accuracy requires having a large sample of previously identified spyware installers, the time required to do a full round of installation, detection and removal of the spies, and then analysis of the logs and probably of the files themselves. Given all these factors it is not advisable to attempt this level of testing, the time required is a limiting factor and proper analysis of the logs requires an intimate knowledge of the spies being tested against. It is also not advisable to test in other manners including testing against a known infected machine, testing against a known installer of spyware such as Kazaa or Grokster, or visiting a website known to distribute spyware via a drive-by exploit. The problems with these types of testing includes: an unknown amount of spies installed leads to inaccurate results of Clean versus Not Clean, a limited test bed of only a few pieces of adware installed do not truly show if an anti-spyware product can detect or remove keyloggers or Trojans, and there is still a learning curve to understand what the product has detected and removed fully and analysis of files leftover to determine if they truly constitute a threat to the user.

APPENDIX B: NETWORK TOPOLOGY
Each Enterprise software was installed to a dedicated Windows 2003 Standard Server. Each product in this test had three client PCs dedicated as Agents. All Servers and PCs were connected to a shared Ethernet Switch. All Servers and PCs obtained Internet Access via a Proxy Server.
1U 1U 1U Webroot Enterprise Server Webroot SpySweeper Client 1 Webroot SpySweeper Client 2 Webroot SpySweeper Client 3
1U 1U 1U Sunbelt Enterprise Server
Sunbelt CounterSpy Client 1 Sunbelt CounterSpy Client 2 Sunbelt CounterSpy Client 3
1U 1U 1U McAfee Epolicy Orchestrator
McAfee AntiSpyware Client 1 McAfee AntiSpyware Client 2 McAfee AntiSpyware Client 3

Ethernet Switch

Proxy Server