Integrity can quarantine POP3 and IMAP e-mail attachments based on file extensions, though it can't do the same for Webmail and Exchange. The end user has final say over whether an attachment should be permitted, but the file's extension is changed. You can find the original extension and change it back by looking at the mailsafe log file.

Importing the MD5 hashes can be a hassle, but an included utility, appscan, simplifies the process. You can do a reference scan or put a client in observation mode. We did the reference scan on a clean client system, and appscan generated a complete list of MD5 hashes, then uploaded that file to the Integrity server.

Unfortunately, a reference scan isn't enough to create an explicitly defined trusted application list. We needed to put the client on a clean system in observation mode. Once we launched our applications, they were reported to the management server. We could then set up the approved application list. This is the same process as enabling the Sygate firewall's learning mode. The benefit to a reference scan is that you can configure a policy to permit an application listed in the reference scan but not explicitly permitted or denied in the approved application list.

Integrity has some well-thought-out integration capabilities. It is the only product that can pull user and group information from a RADIUS server. It also can check virus-definition files from McAfee, Symantec and Trend Micro virus scanners. Zone Labs is the only vendor in this review that supports Symantec as a third party.

Integrity's reporting capabilities need improvement. The reports are both uninformative and confusing. For example, when FireHole triggered a program violation in iexplore.exe, Integrity notified us about the violation but failed to mention FireHole. Such a lapse makes it much harder for an administrator to discover the problem's cause.

Zone Labs Integrity 2.0, starts at $65 for an end-user license (server license included). Zone Labs, (877) 876-4960, (415) 341-8200. www.zonelabs.com

Internet Security Systems RealSecure Desktop Protector 3.5

ISS has improved the managed firewall capabilities of its product substantially since we evaluated it in 2001. While BlackICE, ISS's earlier product, lacked application control, RealSecure ICECap Manager with RealSecure Desktop Protector comes with many new features, including application control. Nevertheless, a shortage of integration and antivirus-detection capabilities brought this product's score down.

Browser-based RealSecure ICEcap Manager provides four account classifications: system admin, account admin, system user and account user. The two ICEcap admins have write access, while the ICEcap users have read-only access to the management interface. System admins and users can access any group, while account admins and users can access their specified groups only.

For creating application-control policies, ISS offers a utility program to generate the MD5 hashes. You load this client on a baseline machine, and then copy the resulting text file to the management server and import it. You can allow any and all programs with hashes known by the server and allow or deny specified programs. When an application is approved, so are its DLLs. The application list is grouped by product names as determined by the baseline scan, though some applications fall in odd places. For example, "Internet Explorer 6" is one category, but it refers only to ie6setup.exe. The real Internet Explorer falls into the "Microsoft Windows Operating System" group. There's no changing these groups; you must use whatever product name ICEcap assigns to an executable. You also can't move applications into different groups.

ICEcap generates top-notch reports, courtesy of Seagate Crystal Reports. Not only do you get bar graphs of top signatures, intruders, targets, and most frequent attacks, you can drill down in them. By clicking on an attack type, you can see who attacked your system and all other attacks from that node. A link to the ISS advice center provides more detailed information.

RealSecure Desktop Protector 3.5, starts at $6,800 for 100 clients. Internet Security Systems, (888) 901-7477, (404) 236-2600. www.iss.net

Securitae CMDS 2.2

We received a very late beta of Securitae's CMDS (Centrally Managed Desktop Security) 2.2 and its Desktop Security Engine 2.0, which the vendor described as "almost gold code." This product has potential, thanks to the wide range of databases it uses to store data. It even supports open-source database packages MYSQL and Postgres. However, the program needs some interface improvements.

CMDS is configured via a signed Java applet. You can create multiple administrators and assign them to configure only specific groups. The configuration tool lets you create and edit policies on a clean client machine, but figuring out how to use the tool is difficult, and the documentation is brief.

The package does provide powerful sandboxing, including component checking and mail spawning control. Policies for the sandbox environment, firewall rules and MD5 hashes can be exported and copied to the administration server.

There is not much to the event viewer, which contains filters based on time, priority, IP, reporting module and login name. The documentation states that this part is sparse because Securitae expects customers to build their own reporting tools. CMDS costs about $20 per seat less than the other products. However, we think the subpar management interface and sparse documentation negate this advantage.

CMDS 2.2, $40 per seat, Securitae Corp., (408) 919 7360. www.securitae.com

Symantec Security Center

Symantec's product, which consists of Security Center and Symantec Client Security, covers an antivirus product with a thin veneer of a firewall. As such, it falls short in several areas, especially in reporting and the management interface.

On the upside, you get a complete antivirus system--and not just Norton Internet Security with a different badge. At the program's heart is the system center, which lets you load firewall and antivirus configurations and start virus-scan sweeps. It is designed to allow easy management of multiple servers spread across your organization.

The firewall configuration tool is a standalone program for creating firewall policies. You can import these policies into the System Center. Here you can allow or deny ports and programs. Because there is no scan or import tool, you must enter all applications manually. The tool can calculate hashes automatically, and can be installed on a clean client machine. You also can set up trusted and restricted zones.

The firewall does not engage communication between computers in the trusted zone. Symantec includes approximately 50 IDS signatures, and you can't add more manually. Perhaps most disappointing aspect of this product is its lack of centralized reporting for firewall events. You have to get this information off each client.

There is no integration with directory services for user and group management. While Security Center does create MD5 hashes, it doesn't provide DLL or mail spawning controls.

Symantec Client Security, starts at $102 for 10 to 24 nodes. Symantec Corp., (800) 441-7234, (541) 335-7000. www.symantec.com

Michael J. DeMaria is an associate technology editor based at Network Computing's Syracuse University Real-World Labs. Write to him at mdemaria@nwc.com.

Post a comment or question on this story.