Slashdot Mirror

← Back to Stories (view on slashdot.org)

Failing Grades For Most Anti-Spyware Tools

Posted by timothy on from the or-choose-a-safer-operating-system dept.

serbach writes "Steve Gibson posted this link to a superb test of about two dozen top Anti-Spyware programs: Eric L. Howes conducted the test over a two-week period in October. The results surprised me: only 3 ASW programs had a 'batting average' of better than .500 when it came to eradicating the broad range of spyware in the test. Freeware star Spybot Search & Destroy came in a distant 7th with an average of only .376. The top three? Giant Anti-Spyware, Spy Sweeper, and Ad-Aware. These test results are well worth your time."

14 of 517 comments (clear)

  1. Ars Report by cow_licker · · Score: 5, Informative

    Ars-technica also just did a review. Check it out.

    http://arstechnica.com/reviews/apps/spyware-remo va l.ars

    --
    $_='while(read+STDIN,$_,2048){$a=29;$b=73;$c=142;$ t=255;@t=map{$_%16or$t^=$c^=($m=(11,10,116,100,
  2. Spyware by cheezemonkhai · · Score: 3, Informative

    Well Spybot may not do great, but it certainly does enough to clean up a persons PC so it works again without crashing every 5 minute.

    My reccomendation is firefox or mozilla or even opera if you prefer it.

    I do however note that if you take a clean system and then visit msn.com, then run spybot etc you will find that there are little evils that appear on your system.

    It now appears that the best option is to wave goodbye to MS if you can. Pick a nice linux distro (eg Ubuntu or whatever suits you) or even MacOS X and feel that little bit safer.

  3. Re:none here by afd8856 · · Score: 5, Informative

    I've seen spyware targeted at firefox and java applets that would want me to install something I was not curious enough to see. Fortunately, I was always asked if I want to install (security mechanism in Java and Firefox). I think grandpa' will click ok on those boxes, without reading them first.

    --
    I'll do the stupid thing first and then you shy people follow...
  4. And if they fail... by Tuxedo+Jack · · Score: 5, Informative

    That's what SpywareInfo's for.

    http://www.spywareinfo.com

    It's arguable that they're the biggest antispyware site out there, and if nothing else, they can get the CoolWebSearch strains that even Ad-Aware and Spybot can't get (real-yellow-pages, linklist, et cetera).

    (Disclaimer: I'm a Trusted Advisor there.)

    --

    Striking fear in the authors of godawful fanfiction, I am here, appearing in darkness, Tuxedo Jack!
  5. Re:none here by gtkuhn · · Score: 3, Informative

    I don't have spyware cuz I check processes for new things that pop up (XP Pro). I've had malware before and I reformat ASAP. Now, one nifty line of defense I use is a freeware program called Startup Monitor. http://www.mlin.net/StartupMonitor.shtml

  6. Spyware tips I've picked up by cybergibbons · · Score: 4, Informative

    I run a small IT consultancy, and nearly every internet connected PC we work on has a significant spyware infection on it. It's not only our job to remove it, but to prevent it coming back. The things that I've noticed after fixing a lot of problems:

    • People don't know they have spyware on their computers. They are crawling along, at a stage I would call barely usable, and it doesn't bother them in the slightest. Or, better still, they find those new toolbars really useful...
    • A combination of Spybot S&D and Adaware will clean up most problems. Hijackthis will then allow you to remove anything else. Some people say that Hijackthis is the only tool you need - but it can only remove very apparent problems, whereas the other tools will remove nearly all associated keys, files etc.
    • To prevent re-infection, you need to lock down the machine whilst it remains usable. People really do not want to change, or put any effort in. You can try putting Firefox and Thunderbird on the PC, but most people will choose IE, or complain if you hide IE, so they don't have the option.
    • Change the settings for the zones in IE to be more secure.
    • Add a big list of bad sites to the restricted zone in IE. This includes some sites that have content, but it's generally porn, and as our users are business users, they won't call us back to give them access to a porn site.
    • Add an even bigger list of ActiveX CLSIDs to not run.
    • Stop the default action on windows scripting host files, scr files etc. from "run" to "edit". A lot of problems start with some user interaction, and this has cut down on quite a few (mainly non spyware) problems.
    • A lot more small registry tweaks can be done... most of the above is done automatically by scripts we have writen. One of the problems we found was adding keys once to each HKCU hive - you don't want to overwrite them at each login, or the user changes will be forgotten, but none of the Run, RunOnce etc. keys do it per user.
    • Add some buttons to the IE toolbar to put sites in the trusted or restricted zones, for when people have problems.
    • Install Spyware Guard - this provides some active protection against spyware.

    This won't stop everything by any means, but it slows down reinfection. End users need to change habits - reading EULA, not just clicking OK, using passwords - but this isn't something you can do with a couple of hours work, so people aren't willing to do it. I have no solution to that problem.

    1. Re:Spyware tips I've picked up by cybergibbons · · Score: 4, Informative

      I should ad (hoho) that one major advantage of Spybot S&D is that you can schedule it to run quietly in the background... this just isn't possible with any of the other free tools. The command that does it:

      spybotsd /autoupdate /autocheck /autofix /autoclose /autoimmunize /taskbarhide

      There are other tools that help massively with spyware. As a consultant, it's equally important to understand the ways and means spyware gets onto the system, so that you can prevent and cure effectively, and respond to new spyware before the automated tools do it or before it appears on the many forums.

      • Sysinternals Utils are free and great. Process Explorer replaces the crippled useless tasklist in XP, and is quicker and easier to use than the command line utils. Filemon, Regmon, and Diskmon allow you to monitor files, registry keys, and disk access - you can see how, when, and why spyware is getting in.
      • WhoLockMe - appears on the right click menu in explorer, and shows what is causing a file to be locked. Again, this can be done at the command line, but this makes life that little bit easier.
      • Knoppix - for when it all goes very very wrong.... recover files, partition tables, reset passwords, even edit the registry
    2. Re:Spyware tips I've picked up by FullCircle · · Score: 3, Informative

      Since Captive NTFS was written to use the Windows DLL's to read and write NTFS partitions.

      http://www.jankratochvil.net/project/captive/

      Knoppix can find the needed DLL's and mount the drive as RW. It isn't 100% guaranteed safe, but when the system is already damaged it is definately worth a shot.

      I've used it once to move data to a second drive for a customer and it worked flawlessly.

      --
      If tyranny and oppression come to this land, it will be in the guise of fighting a foreign enemy. - James Madison
  7. Re:Personal experience with anti spyware tools by catwh0re · · Score: 3, Informative

    In terms of spyware that runs on your system as a program, it's a good idea to write a list of the notorious Run directory in the windows registry, that way you can check your list to see if new spyware(and sometimes viruses) have been added. What you need to really do though is ensure that you don't end up deleting legitimate additions to this list, such as those added after installing applications.

  8. An ounce of prevention worth a pound of cure by gtkuhn · · Score: 5, Informative

    Seriously guys, none of these spyware removers are even remotely perfect and they all suck time and CPU cycles. I disavow any knowledge of this guy, Mike Lin, but his itty-bitty FREEWARE program kicks butt.http://www.mlin.net/StartupMonitor.shtml It does one tiny little thing with almost zero overhead, it tells you what wants to insinuate itself into one of the several startup vectors of Windows. And gives you the option of not allowing it. Any spyware must have some part that runs at startup. This gives you a warning and a filename for googling to remove whatever you have contracted. Probably works for many worms, viruses, and trojans too.

  9. Becareful not to shoot yourself in the foot by DigiShaman · · Score: 4, Informative

    About half the time a user removes spyware from a PC that is running really sluggish, I've found that it the spyware removal utilities does NOT repair the winsock registry keys. Thus, you can't even get TCP/IP connectivity. You will know it's broken if you get an IP of 0.0.0.0 or will fail instantly to repair the LAN connection in XP and just get a 169.x.x.x address.

    If you do plan on removing a heavly invested PC, be sure you know how to fix repair winsock.

    If the customer is running XP with SP2, then you can run the "netsh winsock reset catalog" command (without quotes) to repair the connection and reset the winsock settings back to defaults. However, if the PC does not have SP2 installed, you will have to check out this link http://support.microsoft.com/default.aspx?scid=kb; en-us;811259

    For Win9x users, check out this link http://support.wadsnet.com/winsock/winsock98.asp

    --
    Life is not for the lazy.
  10. SINGLE BEST SOLUTION by dioscaido · · Score: 5, Informative
    Stop running your daily desktop account as Administrator. Most, if not all, of the spyware will fail when it attempts to infect your system. It's just general good practice anyway. No one runs KDE/Gnome as root, or log into their OSX machine as root. Neither should we.

  11. Re:It's interesting by Ilgaz · · Score: 4, Informative

    It was a real funny chance myself getting infected in fact.

    Its in just couple of Limewire 3.7.2 beta and 3.7.3 releases for mac. When they figured mac forums getting reports, they immediately pulled it from installation.

    I am one (c) freak guy using all original dvds, cds, programs etc. Its really funny I got infected with spyware because of Limewire I mean...

    I left a friend alone with my Mac G5, knowing my root pwd and I really didn't think he could be THAT GOOD on macs or forgot how easy macs are used :)

    Guy installed limewire to get a rare mp3 he likes and boom, I had java asking permission to connect at morning (netbarrier running here)

    What drove me nuts is, I am one of the FIRST guys figured TopMoxie on Win32 and alerted press (Wired etc) about it.

    They figured mac users are aware of what that thing does and pulled it.

    here is a forum posting for you, on a real popular mac website.
    http://forums.macnn.com/showthread.php?s=&threadid =195695

    About Top Moxie? Oh man, that thing was more evil than satan... Can't imagine how much money went to wrong hands instead of non spyware legit referrers of Amazon.com etc.

    http://www.symantec.de/avcenter/venc/data/adware.t opmoxie.html

    Looks like Symantec analysed a recent version. That thing is written by very advanced java authors itself, read: Limesoft. It was first bundled with Limewire/Windows and OS integrated firewalls like Symantec firewall AUTOMATICALLY granted ALL rights to it since it was using SIGNED Microsoft JView to run. So, Jview, signed app, you get alert from firewall which RECOMMENDS to enable access since its signed microsoft system part.

    Understand the trick? Since its SAME trick used on Limeshop/OS X

    Oh it did one "cool" thing on windows...:) You know there are poor coders, freelance authors etc making money to run their sites via referring books,cds from amazon etc? It rendered such URLs (childs toy to get current url from IE) and REPLACED it with some limewire referrer.

    Looks like they changed that attitude since Amazon and major, LEGIT referrers threatened a lawsuit against them.

    We _must_ keep an eye on that Limeshop and TopMoxie, especially Java fans and developers. This is one cool(!) and evil way to unleash Java "run anywhere" potential. As its written in java, imagine 1 year later we speak about J2ME (java micro edition) spyware which is installed to Cell Phones, PDA's and Nokia, Ericcson give option to their customers to DISABLE Java via firmware.

    Or lets say, you see people bragging about Linux,BSD is free of Spyware? It can easily change with that java sneaky thing.

  12. Re:It's interesting by Hobophile · · Score: 3, Informative
    When you loan an amount on INTEREST, you always make a profit. The more money you have the more profit you can make. The rich get richer - faster.


    This line of reasoning is absolutely misleading. With any loan there is a significant possibility of default. Profit is not guaranteed, and the interest provides economic motivation for people with surplus cash (the "rich") to loan money to people who need it.

    Furthermore, this completely ignores the benefits that the borrower obtains from loaned capital. The ability to leverage money not your own is incredibly powerful, though not without significant risk. You can borrow funds to invest in a business or real estate, and done properly you have a good chance of making yourself quite a bit more wealthy. In many cases your return will far outstrip that of your lender.

    When you invest that same amount in a business, you can loose that money. You cannot sit on your ass all day and hope to make money.


    By any measure, buying stock in a company is investing in its future growth potential. The average shareholder can do very little to guarantee this return except sit around all day. Further complicating this worldview is the notion of "investing" in the bond market, which essentially involves purchasing shares in interest-bearing loans.

    Delve deep enough, and you get to the core concepts of capital, investment, and return on investment. What you are essentially suggesting is that one kind of ROI is "bad" (interest) while others are "good" (dividends earned through hard work). While this is an intriguing premise, there is no logical method of obtaining this conclusion.

    It should be noted that much of the utility of wealth lies in its ability to let you choose to work hard only for the things you want to. There is no great benefit in suggesting that hard work itself is moral; people can and do work very hard for extremely selfish or malicious purposes.