MS AntiSpyware vs Ad-Aware vs. SpyBot

An anonymous reader writes "Flexbeta.net compares Microsoft's new spyware fighting tool, Windows AntiSpyware, to Ad-Aware and SpyBot S&D; the two leading spyware tools on the market today. The review sets up an infected PC using VMWare Workstation and scans the machine using all three tools to see which tool detects the most spyware. Though still in beta, Microsoft AntiSpyware does an amazing job at detecting spyware by finding twice as many infected files as Ad-Aware and nearly three times as SpyBot."

Wow, is this for real

[Cracell]

So wait a sec Microsoft's product is actual good?

Re:Wow, is this for real

[wankledot]

Of course it's good, they know where to find spyware and viruses because they're the ones that created them!!@# [/tinfoilhat]

Re:Wow, is this for real

[Rasta+Prefect]

I've noticed adaware often does this. It says there are 300 infections, but only 3 of them are program executables and only 1 is running. Many of them are cookies, so I suppose those could count individually, but seperate dlls for the 3 programs it found should not be counted as seperate infections.

Usually they do show what each file belongs to as well, so you can see roughly how many products they're removing. The number of files removed _is_ relavent however - many spyware programs tend to make multiple copies of themselves that'll happily restore each other when one is removed.

Re:Wow, is this for real

[Master+of+Transhuman]

Depends on your definition of "free software", doesn't it?

If someone writes a utility and gives it away, it rarely has spyware in it.

If a commercial or sports site "gives away" some lame "utility" to help you keep track of baseball scores, it usually has spyware in it.

This is not "free software".

I've NEVER seen spyware in GENUINE "freeware".

I frequent porn sites and I rarely even get spyware from THEM since they already know what you want and don't need to spy on you - and mainstream commercial advertisers don't advertise on them because it looks bad, so there is no motivation to put spyware on many porn sites. Of course, there are the lame sites that install overseas dialers and crap like that, but in general you get spyware from lame commercial sites selling crap.

Re:Wow, is this for real

[fm6]

You got modded up as funny. You deserve the upmod, but I think you make a serious point. Microsoft products don't always start out as total crap. Sometimes they buy a decent product from somebody, or invent something with a good basic design (their old Multiplan product was the first spreadsheet I didn't consider a total kludge), or invent some idea that could be really useful if it's implemented right. But then they throw their bureaucracy, their intense intracompany rivalies, their focus groups, their love of feature bloat, and (most of all) their compulsive tweaking at the product. Before you know it, you have some monstrosity that only runs on the latest hardware and that's a total pain to use.

That's why I'll always be sorry the Democrats didn't stay in power long enough to break Microsoft up. If Microsoft developers were forced to operate in a competitive environment where mistakes actually hurt them, we'd all be better off -- including the former Microsofters.

Re:Wow, is this for real

[imroy]

Maybe the MS product found the Spybot S&D definition file(s). Did you pay much attention to what the MS beta had found before telling it to delete them all?

Re:Wow, is this for real

[Zeinfeld]

Actually there is a huge problem with anti-spyware deleting anti-spyware. The problem is that the anti-spyware ends up looking very much like spyware as far as heuristic checks go. So for example it tries to resist being clobbered by the spyware, it scans the disk, it hooks into similar entry points.

The same problem happens with legislation. The Bono anti-spyware bill as currently drafted would make most of the anti-spyware programs illegal. its not intentional, its just bad drafting. The problem is that what is spyware is at some level a consent issue and so drafting is horribly difficult.

Re:Wow, is this for real

[fm6]

What I would like to know is, is the Microsoft version finding the same spyware in diffrent locations or finding diffrent types of spyware in the same locations? The reason I bring this up is for Microsoft to beat evreyone else by a factor of two just doesn't sound right. Not that it can't be done just that is was done.

I'd already cleaned off the exisitng spyware using Ad-Aware and Spybot. So this was new stuff.

It shouldn't suprise anybody that Spybot and AdAware miss a lot of stuff. There's a lot of crap out there -- I've heard reports of people having thousands of infections. The big problem is keeping those databases up to date. Since Spybot is basically some guy's hobby, and Lavasoft has never put a lot of effort into maintaining AdAware (a product that was given to them by its original author, on the condition that they always provide a free version), naturally their databases have lagged. It was inevitable that somebody with deep pockets would invest the time and money to do a better job.

For fairness...

[Raindance]

To be fair, "infected files" is a rather ambiguous notation (perhaps "malicious packages" would be a better way to count things).

I would also feel better if the submitter hadn't been anonymous. Though it's probably not astroturfing.

RD

Wait a minute...

Wait.. aren't we supposed to hate Microsoft? I'm confused.

Funny...

[lga]

Does anyone else think it funny that the advert at the bottom of this review is for Smiley Central, a well known piece of computer-invading crap?

Great!

[2MuchC0ffeeMan]

The Real-Time Protection agent is awesome. It automatically informs you of any changes being made to your current settings; such as if your IE homepage is trying to be changed. It also warns the user if any spyware is trying to be installed.
So it has to be running first. Just what i want my computer to do, run more stuff.

Also, I kinda know when our homepage is hijacked, and this is why i switched to firefox.

Missing Information

[sangreal66]

I only took a curory glance at the article before it was /.ed, but I did not see any attempt at analyzing how many of the additional items found by MSAS were false positives. This seems like pretty vital information.

Enough already.

[XorNand]

Ok, enough of the "MS should do better, they make the holes" comments. If you remember correctly, MS bought this code only a short while ago from Giant Company. About the only thing Redmond has done is repackage and rebranded it.

Just tried to install this MS AntiSpyware

[benzapp]

and apparently their detection of license keys has greatly improved... my key is invalid.

Anyone else have this problem using their obscure key of choice? SP2 installed fine a few months ago.

Re:Just tried to install this MS AntiSpyware

[Chemical]

You can download without having to validate your license. Just select, the "No, leave me the hell alone" option when downloading.

Not a Microsoft Designed Product

[nurb432]

They just bought a company and rebranded..

Wait a few generations, then it will be a 'true' Microsoft Product..

Re:Not a Microsoft Designed Product

[Jesus+2.0]

I rennamed a textfile something like claria.exe and that thing started screaming immediately that bad people were trying to take over my life.

Wow, how horrible. I can't imagine how annoying and dangerous that would be for me, given how often I rename text files to claria.exe.

Re:Twice as much

[Rob+Carr]

After a vicious round with spyware, I switched to Firefox and regularly running AdAware and Spybot. Still, I ran the MS program to see what would happen.

Adaware and Spybot report a lot of cookies. MS's program didn't. On the other hand, the AntiSpyware program found stuff the other two didn't. Total "hits" weren't 2-3x, but I've decided to keep AntiSpyware in addition to the other two programs.

This isn't really MS antispyware

[mutilated_cattle]

MS just bought giant AS and rebranded their product as Microsoft. As far as I can tell there's very little change to the program itself beyond the branding.

Giant has always been among the top antispyware products, as evidenced by Failing Grades for most anti-spyware tools so this "MS should know their own security holes better than anyone" stuff isn't strictly relevant. I think MS should foucus more on fixing the secuity problems in IE that are responsible for 90%+ of spyware infections rather than sticking plaster over the holes by buying up anti-spyware solutions. Is this even going to be free when it's released?

Personally I prefer webroot spysweeper anyway, Giant has always generated too many false positives for me.

Hold up!

[NeoSkink]

Wait wait wait! Microsoft is going to charge for their program?

Maybe I haven't been following the story very closely, but that seems like a stupid move. "Our operating system and browser allow this stuff in the first place, now pay us to remove it."

Keeping that in mind, I'll stick with the FREE AA and SB.

Spyware

[JohnyDog]

Both Ad-aware and Spybot are popular and estabilished, which means that newer spyware/adware knows them, knows how to hide, avoid them or even completely disable them, even if they're frequently updated. So it isn't surprising that MS AntiSpyware performs better now, but that doesn't tell anything about how it will perform in few months from now.

The advanced tools are worth the d/l alone

[British]

The MS utility fonud some Dutch porn dialer that was on my system since 2003. AdAware never found it.

But what wowed me were the useful utilities in the "advanced tools". I was finally able to disable a few annoying system tray icons(totally forgetting how to do it in Win2k). I still can't get the Nvidia driver utilities off, but MS is not to blame in that case.

The tracks eraser functionality goes way beyond a simple "url cleaner". You can clear the document history, etc for TONS of apps. I'm wondering when the anti-MS zealots will be yelling that it will be a useful tool for child pornographers(heh).

The GUI is a bit shoddy. I wish I could keep the heiarchial list of stuff when I'm inspecing the startup apps, etc, and there's no + to collapse/expand. Either way, I love the advanced utilities alone, and could probably clean out TONS of spyware, etc if I run this on my dad's PC.

Re:Why would this be a surprise?

[myowntrueself]

"Now, MS were naive to think that no-one would ever exploit that feature maliciously"

At least in the beginning they took measures to stop it; the original outlook couldn't even receive pop or imap email and hence the only incoming email was supposed to be from the corporate Exchange server.

It was only later, when the internet became popular, that, uh, by popular demand they produced add-on packs for exchange with which you could use pop, smtp and imap.

Then the email viruses began to take advantage...

I reckon that they should now go the other way around; produce a special add-on pack for the VB scripting and just leave it right out of the default install.

False positives..

[wfberg]

Among the things MS Anti-Spyware found on my system (which is actually well-maintained, so perhaps not the best test-bed) none was a real hit, they were all false positives.

It even managed to warn against registry settings put in place by SpyBot to ensure a malicious site runs in internet explorer's restricted zone!

Also, it reported with glee that TightVNC is a dangerous hacking tool. I happen to use it to help out people, exactly the kind of people who are likely to remove it if AntiSpyware complains about it (e.g. my mom).

Then a load of DLLs that are actually dummy DLLs shipped with the "lite" version of a (once upon a time) popular ad/spyware ridden app - again, it's detecting its competition!

And then there are the residual files/empty directories/registry settings that adaware/spybot didn't remove some months ago when I tried an app that came with ad/spyware. No active components at all.

Another thing I don't like about it is that it's user interface doesn't scale properly when you've adjusted your DPI settings.

Also, its on-access scanner (for want of a better word) comes with an enormous performance hit, and is mostly concerned with Internet Explorer hacks. Those are a minor concern for me since I use firefox, and besides, Microsoft should fix IE, not ship cycle/ramhungy monitoring applications for it (though that's hardly GIANT's fault).

In other words, I'm underwhelmed.

Microsoft AntiSpyware forces you to install IE 6

[Brett+Glass]

I just attempted to install Microsoft AntiSpyware on a machine from which Internet Exploder had been mostly removed via the utility Win98 Lite. It refused to install, insisting upon the presence of Internet Exploder 6. The machine in question uses Mozilla, with which we're quite happy. It appears that Microsoft is tying yet another product to the use of Internet Exploder 6, probably in violation of the recent DoJ Consent Decree. Will the Bush Justice Department do anything?

It's trivial to generate false positives...

[John3]

How about attaching your claria.exe text file to all your outgoing emails, sending your emails out with a subject of "I'm not selling Viagra , Cialis, or Rolex Watches!!!!" and see what kind of false positives you get from anti-spam and anti-virus filters. It's not a precise science, so I'd expect false positives when you make a concious attempt to fool the program.

That's not to say they can't make it more accurate, but they may be trading off accuracy for speed (filename match rather than file signature). If I was designing it I wouldn't be real concerned with trying to correctly deal with bored users trying to fool our program by renaming their important documents to "claria.exe".

Re:Twice as much

[damiam]

Some of what it detects are definitely false positives. On my machine, it claimed to find registry traces of eDonkey and Grokster, which it says contain adware. But the keys it found were put there by Shareaza, a non-spyware open-source client.

Re:Twice as much

[ZeroExistenZ]

I second that.

Serv-U FTP Server is appearantly a "Trojan FTP", default action is to "quarantine" in MS's view.

Warning: Real-Time option reenables itself

[PatientZero]

I tested it out too on my home machine, and the only thing it found was the Download Manager for Gamespot (based on Kontiki). Thank you Mozilla. :)

In any case, I uncheked the "install real time protection agents" option during installation, but after running the scan I ran through the options to see what other features it had. Surprise, RTP was enabled. Oh the irony of MS AntiSpyware behaving in the same shady fashion as Spyware apps. ;)

So if you do install it but don't want the RTP agents, make sure you hit up the options before quitting.

Re:Twice as much

[CritterNYC]

Some of what it detects are definitely false positives. On my machine, it claimed to find registry traces of eDonkey and Grokster, which it says contain adware. But the keys it found were put there by Shareaza, a non-spyware open-source client.

Yeah, it wanted to kill off pieces of eMule, Shareaza and Unreal Tournament 2004 on my box.

Re: keep the politics out, please....

[fm6]

... but when you go on the political rant by saying "you'll always be sorry the Democrats didn't stay in power long enough to break Microsoft up" - you lose me.

I think you need to have more than a passing reference to a particular political party before it counts as a "political rant". And it's not as if I'm a big fan of the Demos anyway. But that's a secondary issue. Let me refresh your memory: back in 2000, MS was defending itself in antitrust court, and doing a really poor job of it. At one point they actually got caught fabricating evidence. Then the Demos left office, and a new pro-business AG simply dropped the case.

Whether you think the anti-trust case was a good idea or a bad one, you have to concede that Microsoft might well have been broken up by now if Al Gore had won the election. Pointing out that fact doesn't make me a partisan.

Why can't people get it through their heads that Microsoft's problems are part of the natural course of free-market economics? They didn't start out a huge business, placing their OS on everyone's computer. They *earned* that position through superior marketing and business deals.

Again, your memory needs refreshing. MS's dominance of the OS market is pretty much an accident. That actually got into the business against their own will. They wanted to sell development tools for the new IBM PC, but that meant that IBM had to adopt an OS those tools would run on. Which is why they steered IBM to CP/M. When that fell through, they hurriedly licensed a CP/M clone from Seattle Computer Products, which became the basis for MS-DOS.

MS-DOS is one of the biggest abortions since the rise of modern technologies (find me a single OS expert who will give it high marks). Yet its very flaws created such a high level of lockin with the PC platform itself -- which was also pretty flawed. Since compatibility soon became the name of the game, clone computers had to reproduce all of IBMs mistakes. And since their biggest mistake was choosing MS-DOS, computer makers ended up paying a tithe to Bill for every box they sold.

But even if you were correct, and Bill achieved his success by technical brilliance and plain good business -- so what? He got his reward when he became the richest dude on the planet. He did not earn the right to destroy the very marketplace that made him rich. Microsoft's role in the current marketplace is bad for all of us -- including Microsoft. Calling me ideological names isn't going to change that.

VNC is evil!!!!111

[Venner]

Some of what it detects are definitely false positives. On my machine, it claimed to find registry traces of eDonkey and Grokster, which it says contain adware. But the keys it found were put there by Shareaza, a non-spyware open-source client.

Yep. Same here. It decided that VNC was obviously an attempt to remotely hijack my computer.

It also felt the need to alter my hosts file for me. It didn't like the fact that I had "ads.msn.com" pointing to 127.0.0.1 (as well as over 100 other ad domains; the only one it cared about was MSN!)