Review: Surf Control ETS (Enterprise Threat Shield)

From a security and a general IT perspective there is a not so new and growing threat, unauthorized software. Call it what you like, spyware, adware, malware. The simple fact remains that if it is unsupported and was not installed by the IT staff, it could potentially wreak havoc on your environment. I’m going to give you a quick review of a software solution by SurfControl, who is also known for their solid web filtering solution. Let’s move on to see why Threat shield can help save you from the malware, but can also help save you from your users as well.

How it works
Threat shield starts off pretty standard with your basic client server model. A management console for centralized administration and a very small foot print agent of about 200k. The client only runs on 98 or higher and can be push installed on windows 2000 and up. The client piece scans in real time looking for signatures of misbehaving software from SurfControl’s massive database. On the back end sits the policies you’ve defined. If a client matches a signature, the business rule kicks in and any number of actions take place from a simple alert to an out right uninstall of the offending software. In fact you are able to remove, block, alert, or warn on any event. SurfControl calls this their “Three stage Protection” and the stages are as follows

Write Watch- manages the writing of files to local or network drives. Based on custom rules and/or the Threat database files can be blocked from writing and/or alerts can be sent.
Exe Watch- manages executables on the client machine. Based on custom rules and/or the Threat database programs are monitored in real-time and can be blocked from running and/or alerts can be sent.
File Watch- manages the existing files on local or network drives. Based on custom rules and/or the Threat database files can be removed and/or alerts can be sent.

You also have full reporting capabilities. One of the features that impressed me was the ability to make custom signature databases. This allows you to customize rules that warn, alert, block, delete or uninstall almost any file or software on a client machine. This is a really powerful feature.

Case 1:
In a recent post and podcast we discussed a security concern with the new Google desktop. The only real way to mitigate the risk in your organization was to make sure your users had the Enterprise version of Google desktop installed, and not the consumer version. A single installation of the consumer version could compromise an entire security program, not mention lots of regulations. With ETS you could simply right a custom database rule not allowing the consumer version to install, to scan for it and un-install it if found, and to not allow it to execute if somehow it was installed.
Case 2:
We all know users like to keep music on their machines, and sometimes even try and share it on the corporate network. The Threat Shield client can continually scan for mp3 files and remove them automatically, possibly saving your organization from costly litigation and fines.

These are just two examples showing that not only do you get coverage from malicious software but you can also manage your user’s files and any other software that may or may not be malicious. Threat shield also supports the tracking of web surfing usage but tracks only time spent surfing. No details are recorded. This feature seems like an after thought and the only real value would be for cases of documenting misuse.

SurfControl Enterprise Threat Shield is an interesting product. It takes a different approach to malware prevention and in doing so gives some extra capabilities. Being marketed as a spyware prevention tool it more closely resembles an application management product, and in my mind you are getting more than you paid for. That being said there are a few draw backs. The signature only approach has its pro’s and con’s. With out the “intelligence” of heuristics you are relying solely on SurfControl to keep you protected with prompt updates. On the flip side the occurrence of false positives is going to be near zero. While I think this is a great solution it alone can not do it all. It is a stellar start but you’ll need to couple this product with a webfilter and possibly an IDS/IPS to get that restful baby like sleep most managers do with out. If you have the need for such a product and the $15 dollars a seat retail cost, I could easily recommend this product. It performs as advertised and in this reviewers opinion ETS could trim a serious chunk of support resources if deployed and used properly. And no I am not affiliated with SurfControl in any way, I just think this software is really neato. ;)


Author:  Larry Hinz

Your email:  
subscribe unsubscribe  

Leave a Reply

You must be logged in to post a comment.