Slashdot Mirror
Failing Grades For Most Anti-Spyware Tools
serbach writes "Steve Gibson posted this link to a superb test of about two dozen top Anti-Spyware programs: Eric L. Howes conducted the test over a two-week period in October. The results surprised me: only 3 ASW programs had a 'batting average' of better than .500 when it came to eradicating the broad range of spyware in the test. Freeware star Spybot Search & Destroy came in a distant 7th with an average of only .376. The top three? Giant Anti-Spyware, Spy Sweeper, and Ad-Aware. These test results are well worth your time."
Ars-technica also just did a review. Check it out.
o va l.ars
http://arstechnica.com/reviews/apps/spyware-rem
$_='while(read+STDIN,$_,2048){$a=29;$b=73;$c=142;
The attitude to directed advertising programs or "spyware" on Slashdot. Especially when you step outside the parochial echochamber that is Slashdot discourse and speak to people who actually use these programs. On the whole, they are actually happy to get these novelties for "free", like the funny little desktop buddy, or the search bar, weather report or stopwatch.
I used to work for one of the companies that distributed a "spyware" program through download.com, and we had continual PR problems with being lumped in with the worst offenders of the spyware world. We didn't do drive by installations, or hide our intentions: we just traded our customers data for use of our program. What, exactly is wrong with that? Why is Slashdot pretending all of us are as bad as each other, as if in this, as with all fields, there isn't a spectrum of behaviour?? Even some linux users are bad, just look at the DDOS at sco.com. I'm sure noone here would condone that behaviour.
(Posted anonymously, not interested in karma bonus.)
I gonna get firefox and ad-aware asap. I also want to get screwed! No more than 2 weeks right?
I wonder what it is like...
Well Spybot may not do great, but it certainly does enough to clean up a persons PC so it works again without crashing every 5 minute.
My reccomendation is firefox or mozilla or even opera if you prefer it.
I do however note that if you take a clean system and then visit msn.com, then run spybot etc you will find that there are little evils that appear on your system.
It now appears that the best option is to wave goodbye to MS if you can. Pick a nice linux distro (eg Ubuntu or whatever suits you) or even MacOS X and feel that little bit safer.
I've always found a combination of Ad-Aware and HijackThis do an excellent job of keeping all things spyware under control. Ad-Aware for more frequent scans, and the odd hit of HijackThis when things seem screwy. Admittedly, I don't know how much spyware I actually miss but it seems to keep XP happy for most part :)
I've seen spyware targeted at firefox and java applets that would want me to install something I was not curious enough to see. Fortunately, I was always asked if I want to install (security mechanism in Java and Firefox). I think grandpa' will click ok on those boxes, without reading them first.
I'll do the stupid thing first and then you shy people follow...
you never know where your internet connected peecee might be sending it's bytes.
hmmm why is that activity LED blinkin?
Now I'm the grandest Tiger in the Jungle!
This isn't a standard issue MS bashing troll but you do have to question whether given the ease at which programs (which is what spyware is) can install themselves on someone elses computer with little or no user intervention , Windows is fit to be allowed on the internet. If all windows systems were taken offline then almost all viruses and the like would disappear almost immediately along with spambots and other unpleasent creations of the black hat fraternity. I'm not pretending this is feasible but you have to wonder what the net would be like if only relatively secure OS's were allowed to use it.
These test results are well worth your time.
No they are not. I already burned all Windows CDs in the fire. You wan't believe how much time I gained by doing this!
There you are, staring at me again.
That's what SpywareInfo's for.
http://www.spywareinfo.com
It's arguable that they're the biggest antispyware site out there, and if nothing else, they can get the CoolWebSearch strains that even Ad-Aware and Spybot can't get (real-yellow-pages, linklist, et cetera).
(Disclaimer: I'm a Trusted Advisor there.)
Striking fear in the authors of godawful fanfiction, I am here, appearing in darkness, Tuxedo Jack!
I don't have spyware cuz I check processes for new things that pop up (XP Pro). I've had malware before and I reformat ASAP. Now, one nifty line of defense I use is a freeware program called Startup Monitor. http://www.mlin.net/StartupMonitor.shtml
This is a very good solution :
http://www.freedownloads.nl/hitman_pro.htm
It's dutch and it runs Ad-aware, Spysweeper , Spybot S&D, Stinger, Spywareblaster , ect...automaticly....
The anti-spyware game is a real case of horses for courses - one tool will detect some spyware and miss others, while another will find all the bits the other missed, but miss off a couple it didn't. There really is no 'definitive' spyware removal tool and it's foolish to say there is. I advise people to run both Ad-Aware and Spybot with latest updates at least once a week to ensure almost all spyware is found and removed, as I've had too many instances of one of the two missing out five or six items on every sweep that the other one found straight away.
.dll that a program the user makes use of hooks into, the program may stop working, and who would get blamed? the anti-spyware vendor. Hey presto, Spybot looks like pure evil because they just killed off Joe User's cool new P2P app because keylog32.dll got wiped. This happened a lot when Kazaa was big - naive users getting told by techy types to run Spybot every now and then to clear spyware ended up bitching because it nuked the spyware that Kazaa checked for before starting up. They didn't seem to care about privacy when protecting it stopped them getting their MP3s and porn.
.exes, they will visit dodgy sites and they will do all manner of things because they believe they are safe. They don't understand that spyware blockers only work against known types of spyware, not all spyware in total. Naive users seem to think it's an agreement between spyware vendors and anti-spyware companies when it is, to all intents and purposes, an arms race which the anti-spyware groups will always in second place.
/. are now serving ads to the Microsoft 'Get the Facts' campaign? Is this Slashdot putting one over on Microsoft by taking the money they throw at them when they know no-one here will believe it, or have they reached a new low, actually showing not just Microsoft ads, but ones that feature blatant FUD against FOSS?
You could probably get even better performance by running more than those two, but I'm not going to harrass my clients to start running half a dozen programs just to remove spyware and it's a pretty rare thing to come across a piece of spyware, even a humble cookie, that both of those two miss. Anyway, my point is this; You can't just run Ad-Aware or Spybot and think you're protected. Until an anti-spyware tool has a 100% record against all known spyware, I won't consider them anything near a definitive tool, or a licence to behave recklessly on the net, something which too many naive people seem to do.
The problem with anti-spyware tools is three-fold;
a) They are made by private companies and individuals who's credentials and/or decency cannot be guaranteed. They could easily take kickbacks from spyware companies in exchange for 'excluding' their programs from the scan list. Sure, it might not be happening now, but what's to stop Lavasoft suddenly to start taking kickbacks to let the less insiduous spyware through? Unless you're on the inside of a company like that, you can never be sure. I'm sure Lavasoft aren't doing anything like that, as these results prove, I'm merely using them as an example - any anti-spyware app people trust is in an immensely powerful position on the user's computer, and any money-seeking company can theoretically be bought out.
c) When they remove a spyware
c) People do, as I mentioned above, use them as an excuse to behave recklessly on the internet - they will install random
Anyway, what was my point again? Oh yes, that these statistics are misleading for naive users. Ad-Aware and the others are now going to start shouting from the rooftops about how they're one of the top 3 anti-spyware apps on the market, and thousands of lusers will trust themselves to it implicitly solely because of that blurb, while the reality is Ad-Aware still misses stuff, and it is more than fallible. That 'lowly' Spybot has turned up half a dozen items Ad-Aware failed to find at least three times for me, but I wouldn't run that on it's own either - Everybodyb knows it's a good idea to get a second opinion, especially when it's free.
Also, does anybody else find it funny that
Dealing with lawyers would be a lot less tedious if they all looked like Casey Novak.
The reasons seem to be simple;
Yet, the test results show that the spyware detectors aren't in the arms race against spyware that I described above. Instead, many spyware revisions aren't detected at all. Either they don't know about the spyware revisions, the spyware is not being tested for, or the spyware is being ignored on purpose.
Right now, the bar that the spyware creators have to leap is very low. Both social engineering and direct injection onto systems make spreading these things fairly easy to do for the spyware maker. Tie that in with many spyware detectors not detecting completely, and not being used consistantly, and I don't see an end to this problem soon for most people.
What to do? I'll leave that to others for now. I have my own lists. It is a security issue so the systems should be considered to be on hostile networks and hostile users. I consider 2 hours to lock down a Windows XP system to be a reasonable minimum amount of time to spend on each system -- unless automation tools are used.
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
User stupidity is still the number one security problem.
I run a small IT consultancy, and nearly every internet connected PC we work on has a significant spyware infection on it. It's not only our job to remove it, but to prevent it coming back. The things that I've noticed after fixing a lot of problems:
This won't stop everything by any means, but it slows down reinfection. End users need to change habits - reading EULA, not just clicking OK, using passwords - but this isn't something you can do with a couple of hours work, so people aren't willing to do it. I have no solution to that problem.
In terms of spyware that runs on your system as a program, it's a good idea to write a list of the notorious Run directory in the windows registry, that way you can check your list to see if new spyware(and sometimes viruses) have been added. What you need to really do though is ensure that you don't end up deleting legitimate additions to this list, such as those added after installing applications.
Seriously guys, none of these spyware removers are even remotely perfect and they all suck time and CPU cycles. I disavow any knowledge of this guy, Mike Lin, but his itty-bitty FREEWARE program kicks butt.http://www.mlin.net/StartupMonitor.shtml It does one tiny little thing with almost zero overhead, it tells you what wants to insinuate itself into one of the several startup vectors of Windows. And gives you the option of not allowing it. Any spyware must have some part that runs at startup. This gives you a warning and a filename for googling to remove whatever you have contracted. Probably works for many worms, viruses, and trojans too.
No, friend, you really don't.
The point is not that we technically proficient people can deal with SpyWare but rather that the 99% of computer users who are not technically adept can use their computers, the internet and their email without having to fight a constant battle with unwanted intrusion.
What other mass-produced, home appliance can you think of that requires a deep understanding of its inner workings? We, as the technicians, should be hanging our heads in shame that we have failed, in over 20 years of trying, to devise a machine and an interface and a secure environment that allows the end-user to enjoy the internet or office suite or any other application with such carefree abandon as they do their TV or Dishwasher or Microwave.
Sure people need to be careful, just as they do when driving or using a blender, but surely it is not beyond the wit of man to hide the complexity of the system. Surely a better use of our time and effort, rather than trying to play catch-up with 'the man' is to start finding common ground upon which we can progress best practices... Let the Corporations then compete on price and feature-sets from that good and solid foundation rather than firing off in their own directions with their own agendas and muddying the already dirty waters.
We have a lot of work to do, I'm afraid.
quidquid latine dictum sit altum viditur
HOwever , these programs could do anything which is the worrying part. 99% of them may just be Gary Grocer trying to make some extra money
I think you're underplaying the seriousness of Gary Grocer's nefarious activities. After all, he's an internationally-wanted credit card fraudster who is also notorious for using zombified PCs to send spam.... that's how he makes his "extra money". (Note: There is a reward for the capture of him and his money-laundering associate, Freddy Firefighter).
"These people are scum, " says Florida's Head of Anti-Fraud Investigations, Calvin Criminal.
"Damn right, " adds his colleague, Alvin Arsonist.
"Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
Until engineers and computer scientists can make computers idiot proof, I don't see why we should consider computers a 'generic consumer product'. You need a license to drive a car, since the car is by no stretch of the imagination idiot proof. If you try driving a car in traffic without any sort of training you'll most likely end up hurting yourself and others.
Similarily, using a computer with a broadband connection to the Internet without at least some idea of how to make the computer secure (i.e. antivirus software/firewall) will most likely result in a computer infected with trojans and spyware, causing problems for the owner. What's worse, his computer will probably infect other computers as well.
Sometimes the concept of an "Internet license" similar to the driver's license actually seems like a good idea. A driver's license doesn't stop car accidents from happening, but a least you're keeping some of the worst morons off the road.
I can concur with the grandparent. I have a windows box running xp, and use firefox and thunderbird. It lives behind NAT from my linux box, and I never see any spyware/malware crap.
I just ran Ad-Aware for the first time in a while (it told me my definition file was 109 days old), and it prompted me to go download an upgrade. Ironicly, it launched IE for this (firefox is definately set as default). Once it finished updating and running a full scan, it found 4 whole 'bad' things, which in this case were IE tracking cookies (doubleclick.net, etc). 2 of those 4 had a creation date of today, meaning they were picked up in the process of downloading that adaware update...
About half the time a user removes spyware from a PC that is running really sluggish, I've found that it the spyware removal utilities does NOT repair the winsock registry keys. Thus, you can't even get TCP/IP connectivity. You will know it's broken if you get an IP of 0.0.0.0 or will fail instantly to repair the LAN connection in XP and just get a 169.x.x.x address.
; en-us;811259
If you do plan on removing a heavly invested PC, be sure you know how to fix repair winsock.
If the customer is running XP with SP2, then you can run the "netsh winsock reset catalog" command (without quotes) to repair the connection and reset the winsock settings back to defaults. However, if the PC does not have SP2 installed, you will have to check out this link http://support.microsoft.com/default.aspx?scid=kb
For Win9x users, check out this link http://support.wadsnet.com/winsock/winsock98.asp
Life is not for the lazy.
Seems to be more and more firefox is leaning towards the 'Weve blocked this, click here to find out why' approach, would be nice if this was extended to all areas including dangerous java programs/etc.
The general public is composed of people who literally can't tell the difference between Adobe Photoshop and Adobe Acrobat Reader, or Mozilla Firefox and Mozilla Thunderbird. This is no hyperbole, I know many people with this problem and I'm sure you've met some yourself. They'll call and say, "I'm having a problem with my Adobe." Or ask you repeatedly which application you're in right now when you're both looking at the screen, even though the applications present completely different interfaces. The person usually will have been using the applications in question for months or years, and still can't tell them apart without thinking about it really hard.
Is it simple ignorance? No, that could be easily corrected. Is it sheer stupidity? No, these people are otherwise of average intelligence or better. It's some kind of weird mental blindness that comes over people whenever they are faced with a computer screen. It's conditional stupidity, and it's one of the main problems with the general public. Most of them will never learn to be careful until you hook up a car battery to their earlobes that gives them a physical notice whenever they do something stupid. Otherwise they just don't seem to be equipped mentally to grasp the concepts involved in using a computer responsibly. The software industry hasn't exactly been helping matters, but they have a monumental task ahead of them. I think computers are just too abstract for a lot of homo sapiens sapiens to deal with.
"Moreover, users should learn to practice safe computing habits, which include avoiding web sites and programs of unknown or dubious provenance and carefully reading End User License Agreements and Privacy Policies."
Am I the only one who doubts that will come true any time soon, we all know how to click on a button as a reflex action, reading a lengthy EULA full of lawyerspeek... that's a headache.
I've said this before, but here goes again: what's "wrong" with non-nerds is that they're used to the Real-World "security model". The real world doesn't work like computers do.
In the real world, you don't have to have an absolutely-unbreakable titanium-plated vault door to your house, nor bullet proof windows. If anyone wanted to hack your front door down, it's worth a maximum 5 minutes with an axe.
Real world locks also aren't supposed to be unbreakable. Au contraire. By computer security standards, they're a catastrophe. Most allow 1-pin-at-a-time attacks, which in computer security is the worst anti-pattern. Locks with master keys allow easy escalation of privileges too.
It's all documented vulnerabilities (or exploits) and they've been known for ages, and never fixed.
But they work IRL anyway. Yes, any kid could lockpick your front door, or hack it down, or just throw a brick through the window to get in. But people still use locks, doors and windows.
Why? Because the IRL (In Real Life) you don't live in a lawless no-man's-land where any kiddie with a lockpick is l33t and free to pick your lock. IRL your real defense isn't the lock, but the law.
The lock or the door just markers. They just say "you're not supposed to be past this point uninvited, and if we find you inside, we'll throw your sorry ass in state jail."
(If you're a die-hard gun fanatic, feel free to replace by "if I find you in, you'll get a gut full of buckshot." Same idea: there'll be repercursions. The door just marks the point beyond which the thief is not supposed to go, not _the_ deterrent itself.)
And people instinctively expect the same kind of rights and protection to apply to the online world too. "This is my computer, you're not supposed to be on it. Your playzone ends at the ISP, and this side is my private property."
Unrealistic expectation? Maybe. But it exists nevertheless.
Unreasonable expectation? Not at all.
A polar bear is a cartesian bear after a coordinate transform.
What's wrong with the general public is they don't give a damn about computer security. Nor should they have to -- a computer is supposed to be a generic consumer product, usable by anyone.
That would work if a computer had about the same features and abilities of a toaster.
Unfortunately, a computer is mixture of hardware and computer software that can do office tasks, multimedia, file sharing, communications, and gaming. The feature set is easy to upgrade and expand through software installations.
In addition, due to most computers being connected to the rest of the world, the cost benefits of spyware/viruses (creating spamming relays is big money) and the fact that trying to infect an individual computer is effectively free, the problem is apparent.
Any product with a ton of features and abilities requires user training. Its possible to easily design a car that doesn't require knowledge to drive -- as long as everyone will only go to the mall or the grocery store. But people use their autos for many destinations, over many different roads, and thus we require people to learn how to use cars.
A computer is no different.
Want to write documents? A typewriter works. Some of the electric ones were quite nice. Want to send text messages? SMS over mobile phones. Want to send documents? Fedex. Games? A console. Music? A radio.
Want to do all of the above, and more, with the ability to extend the features and easily upgrade for less cost? Okay. But it will require some training.
If you disconnect yourself from the internet, and lose that feature set, you will probably be secure. Even disconnected, not knowing what you are doing will have consequences. If you are lucky, the only consequence will be wasting your own time. If you are unlucky, you will be frustrated by fighting with the computer all the time to do what you want, how you want it.
Do you want to connect to the net? Congratulations, now you are exposed to the worst people in the world. Would you be cautious walking down a street in Romania with your credit cards in your wallet? Why aren't you cautious while you are online, making purchases, connected to the same network as a Romanian hacker?
I'm sorry, but we can't not create an idiot-proof box. We can't even make a box that requires zero knowledge to run. Our best bet is education.
I've recently seen a rash of new spyware that registers a .dll or ten into the TCP/IP stack, or even in some cases a device driver. Those are truly the beasts. And, of course, the normal Windows startup routines don't necessarily apply, since Windows will include the dll's at launch, and once they're hooked into a process, they'll go about their nasty business as part of what may otherwise be considered a legitemite executable. The line between spyware and a virus/worms/trojans these days is so incredibly thin, it's hard to see anymore.
If it hasn't already become obvious I'm all in favor of dropping large objects on the scumbags that make this kind of stuff. Say, a super-large special order 1000 ton ACME anvil, to start?
I'm not surprised Spybot did badly.
These things go in cycles, kind of like the Darwinism that didn't work quickly enough on the germ plasm that somehow evolved into the amoral mockeries of humankind that write spyware/malware.
Adaware was widely used for a while, then I started noticing that it wasn't working so well.
Then Spybot is/was hugely popular and extremely effective, so I've started to notice that it too is missing stuff now (or is unable to remove what it finds).
Virus...er...spyware writers are working against these programs, and it's only natural that they are evolving their code to defeat at least the most successful/widely used anti-spyware programs out there.
You wouldn't expect the flu inoculation from 5 years ago to protect you this year, would you? Spyware - and it's counteragents - are the same.
-Styopa
What I do not understand is how can this be legal. To me this is no different than a trojan (the viral type not the condom.) Maybe it does not self-replicate and spread, but it still hijacked my friends computer. I thought that the malicious or destructive control of a computer without the users consent was illegal according to federal law. Why is it the the government will go after script kiddies, but does not go after the corporate goons who are no better? Oh, wait, I forgot. Script Kiddies do not make political contributions. I'm going to email my congressman.
Insert Generic Sig Here: