Slashdot Mirror
Review of Microsoft's Anti-Spyware Tools
happyslayer writes "Matthew Fordahl has written a review of Microsoft's anti-spyware tool and has declared it, in a word, 'ineffective.' Though the methodology isn't carried out completely (he uses another anti-virus program after trying MS's tool, but doesn't do the same with the anti-spyware tool), it's a fairly good anecdote on the MS product's usefulness."
But it's beta, and his methodology is just plain wrong. I'm not one to jump up and defend MS, but WTF?
I ran the current version of Spybot, then I ran the current version of AdAware (free version), and when I ran Microsoft Antispyware, it still found stuff to remove that the others didn't. That's proof enough for me. Of course I immediately uninstalled the MS Antispyware after running it, but that's besides the point. I would never let it run in the systray because if MS's reputation for bloat.
How many times are we going to have a Slashdot blurb about someone reviewing this thing?
While the mods may be tempted to mod this up as "Funny," he's got a point. It's pretty well accepted nowadays that the only way to truly avoid spyware and viruses is to stop using Internet Explorer and Outlook.
From the end of the article:
Overall, I was more impressed with the antispyware program's protective measures and simple interface than with its ability to cleanse existing infections. Still, Microsoft seems to be on the right path to fixing the mess caused by the careless users, malicious programmers, unethical companies and vulnerable software.
Twenties Retirement
This is great news!
/. intentionally trolling?
Is someone at
I can tell you that I had to clean a machine today that had 56,000 instances of 'Claria' (GAIM aka Gator)
Ad-aware missed them on the first pass...so I used MSAS, and it caught them all. And removed them. Successfully. (whereas Ad-aware would have just quarantined them).
I know I'll get roasted for this obvious 'fanboi' ism, but remember, MSAS is actually still GIANT, who they brought it from. (check your process names while running it...you'll see)
I don't know about you, but I'd get pretty nervous about using any software that Microsoft *openly* admits is beta.
Game! - Where the stick is mightier than the sword!
According to this story on the register, the MS anti spyware tool also labels Bitdefender (a romanian anti virus tool) as spyware.
My pics.
like they don't even read their own site?
What's up with all these "reviews" immediately condemning this new tool? As far as I can tell, it's an honest attempt on Microsoft's part to actively aid it's customers in removing crap from their computers. I've used it myself at work, and after running Spybot, Ad-Aware, SpySweeper, and HijackThis, Microsoft Antispyware still manages to flag and remove quite a few leftovers.
Granted, by itself it may not be the most effective thing in the world, but the same can be said for any antispyware/antivirus software. We need to run at least 3 antispyware programs at work, and at least 2 antivirus programs before we feel confident that a computer is clean enough to return to the customer.
Besides the fact that it's just a beta, it's worked out pretty well for what it is. The interface is easy enough to figure out and use, and it identifies software which comes bundled with adware/spyware. When was the last time Spybot or Ad-Aware flagged Kazaa or Imesh as adware bundlers, while the default action is "ignore," but removal and quarantine are obvious choices? I say enough of these reviews. I'll be "reviewing" it myself by using it for what it can do well. If the final version works as well as this does, or better, it'll stay on my list of removal tools for my customers.
That seems to be the common mindset amongst a good majority of /.'s. While I don't necessarily agree with their business practices, I admit that they put out some pretty good software. The visual studio family of compilers for one. Another thing, I've /never/ experienced a crash with XP. Because I know how to use it. I've never had a crash with Slackware either. You know why? Yup. Because I know how to use it. Also, firefox is not some magical solution to spyware. I'll admit it's a bit harder to become infected if you use ff instead of ie, but a stupid user is a stupid user regardless of what software you place in front of them.
In short, MS AntiSpyware looks like a very promising app. One which I hope MicroSoft continues to improve.
First, I have never found any spyware problem that I could not resolve in approx 2 hrs or so. It is realtively simple. If Adaware and/or Spybot fail to detect and remove the infection, you have a few options. I do as follows:
1) Boot into safe mode.
2) Delete all browser helper objects. I usually leave Java installed unless it too seems infected (can happen).
3) Run msconfig. Select diagnostic boot. Then reboot into normal mode.
4) Now comes the fun. Open MSConfig and look at the registry entries and startup items. I use Google to identify what they do and note any suspicious items.
5) Just for protection, I create a restore point so I don't remove something I shouldn't and get into trouble. Then I use msconfig to select normal startup. When it asks if I want to reboot, I say "reboot later"
6) I go through the run keys (under HKCU and HKLM). I delete suspicious values. Same with the startup folder. I also review the drivers for anything strange and backup/delete as needed (I have seen drivers which I believed were involved in spyware).
7) Suggest to my customer (if it seems like a good idea) that we discuss migrating to Linux if they have continuing issues.
Reboot to test. Make note of anything that comes back. Reboot in safe mode if necessary to remove those values.
Granted this doesn't remove all the spyware programs, but it does disable their startup. By troubleshooting a problem for days and not being able to solve it, the author of the article has demonstrated that he doesn't really understand the Windows boot process or how to really troubleshoot it. Yes, I only run Linux, but I can troubleshoot Windows with the best.
LedgerSMB: Open source Accounting/ERP
I think this is the third. How about holding off until a final product, or at least a new version, is released?
I can't believe this is story was posted. As much as I dislike MS on many levels, THIS IS BETA!!!!
Furthermore, some of the most effective anti-spyware tools I have used have broken windows before. It is in Microsofts best interest to be carefull in their approach to this. If they break legitamite programs with their tool, they a looking at lawsuits (EULA or no) and they have money to go after.
Please save the bashing until this thing is released officially as non-beta.
Sigs? We don't need no stinking sigs!
Since when can Windows run 56,000 instances of anything?
If M$ puts this on windows autoupdate as they SHOULD (the browser that brings the crap is free, so the cleanup tool should be equally free), then this will at least put a basic measure of protection in place for the majority of Win users who don't frequent /. for the latest spyware news.
I'm tempted to give kudos to M$ for the effort, but I fear I would get modded Troll for doing so.
Why, oh why, didn't I take the Blue Pill?
I think it's great. Nooo, definitely no sarcasm here. uh-uh.
I only post comments when someone on the internet is wrong.
Tracking cookies were the only thing MS anti-spyware didn't find, and there is nothing in the documentation about MS antispyware going after such items.... so in other words it performed as advertised -- and needs improvement.
That said I am switching to Mac and leaving this spyware crap behind me.
Did I mention that these services usually cost $40-$60/hr where I live, minimum 1 billable hour (I charge $40 because I don't have a lot of overhead but will raise my rates in the fall).
So that is $40 to $120 everytime the get hit with anything and want help! Yes, I offer to talk to them about migrating to Linux because althoug they get to pay me for my time to help them with the migration, it is far cheaper over a reasonable length of time than it is to call me everytime they get spyware.
LedgerSMB: Open source Accounting/ERP
And removed them. Successfully. (whereas Ad-aware would have just quarantined them).
.. well sometimes computers *do* make mistakes and i prefer it if they can undo the mistakes.
Errr and how is quarantining worse than deletion ??
I personally would find quarantining a feature because
Lima India November Uniform X-ray
That's not very fair or informative. You've already run Ad-Aware SE, so chances are your system is clean anyway. Then you run this and find nothing and assume it's not worthwhile?
As for lagginess, that could be attributed to anything, from user perception to it still unloading itself from memory (you didn't mention how long the lagginess lasted).
Come on. This isn't even out of beta form yet.
what seems to escape most posters is that the majority of spyware on computers was instaled by the people that uses them. There is no OS or antispyware or whatever that can do anything about that, average joe is dumb in windows in linux or os2, average joe will click on ad or will install bonzi budy just to watch some naked chicks. its mostly a problem of user education, not software.
The author is ineffective at system recovery.
I tested the programs on a Windows XP computer I borrowed from my wife's cousin. The 3-year-old PC, a Gateway running Windows XP Home Edition, was basically unusable.
Me too, except this was a customer.
Error messages appeared when I tried to open the Task Manager, a Windows utility that shows running programs and processes. It refused to load Windows Update, Microsoft's site for downloading security patches and other fixes.
Those plus the TCP stack was corrupt on this machine...wouldn't renew the DHCP lease. Had to manually rebuild that as well.
To load Microsoft's Malicious Software Removal Tool, I had to get it using another machine, load it on a USB drive and install it manually. (It's usually available through Windows Update.)
Or you could have just put the executable on a CD with SP2's executable and MS Anti-Spyware's executable. But that would make sense for someone in the system recovery business and we can't have that!
The tool looks for a limited number of pests, such as "Sasser" and "MSBlaster," so it didn't find the worm, "Netsky.P," that had infected this PC.
The program was designed to search for a few insanely critical bugs. It COMPLIMENTS your set of tools...not replaces them.
But bizarre behaviors -- including multiple pop ups, unwanted toolbars and generally sluggish behavior -- continued.
That's because you're not in safe mode and you haven't stopped the programs from regenerating.
So I rebooted the PC in safe mode...
Now we're going in the right direction!
After rebooting again, the PC continued to show signs of infection, though it did seem less bogged down. Having spent two days disinfecting the system, I broke down and reformatted the hard drive. I then reinstalled Windows XP and all its patches.
Pfffft. Ineffective computer technician.
I don't have the option to just backup whatever I feel is important on a customer's PC...they're paying me to recover their system, not pick which files have to disappear forever and cause them to lose all their settings and programs.
Once again for clarity: INEFFECTIVE COMPUTER TECHNICIAN.
MS Anti-Spyware has done an EXCELLENT job on every single customer PC. The Malware tools from MS make a quick and easy check during the in-home visit for those REALLY nasty bugs.
Who is this guy, anyway? Oh wait...
MATTHEW FORDAHL, AP Technology Writer
Technology WRITER. Leave the tech stuff up to the tech people and have fun with your little Word.
...and I'll say it again, but there are Anti-Spyware devices that are the of my eye.
Okay, slightly OT, but answer me this: why is it that Linux and Unix based systems (like Mac OS X) don't have problems with spyware and viruses? The popular argument by Windows fanboys is that because there is not enough of a market share for *nix to matter to malware authors. I've read it also has to do with package management on *nix, and that you cannot just simply execute a script or binary on a *nix system? TECHNICALLY SPEAKING, what is the strait answer here?
I work seven days a week, 10-14 hours a day as a freelance computer repair person. Most of my clients are residential, and about 80% of their problems are related to viruses and spyware, most of it brought on my the downloading and usage of "bundlers" such as Kazaa. I've found AdAware and Spybot to be very effective, followed closely by Hijack This and CW Shredder. Security Task Manager is also pretty good, and Killbox is great for eliminating hard-to-delete individual files. I was glad when Giant came out, and still OK with it when MS bought them out. Giant/MS antispyware finds stuff the others don't - each of these utilities complement one another. In addition, as another poster said, I take stuff out of MSCONFIG and the "Run" keys. I also delete executables and .dll files I recognize as bad, as well as go into Add/Remove and take a lot of rogue programs out of there, as well.
c:\windows\prefetch and c:\windows\temp get an emptying out, too.
Oh, and the 2004, 2005 versions of Norton and McAfee do seem to include some malware detection beyond viruses.
I neither hate it nor love it or Microsoft. The simple fact is that the review was crap. The methodology was lacking and the scientific process non-existant. We've done several anti-virus and anti-spyware comparisons. What you do is simple: - Load up a virtual machine with XP and take a snapshot - then kill it with viruses or spyware - run a tool and find what it catches/cleans - revert to the snapshot and run the next tool - do some simple math
A test of "I ran A but then I ran B and it found X left over" is meaningless by itself. You need to start over and run in the opposite order, to see how much A catches that B doesn't.
What Eric Howes found matches what service techs find. There's no tool with 100% coverage. Which, if you know any statistics, tells you that even running multiple tools doesn't guarantee anything. I tell any client who will listen to focus on prevention.
You know what else is wrong with the AP "review"? He keeps calling the "Malicious Software Removal Tool" (hilarious name, think about it) "antivirus". It's not intended to be. It's a bundle of a few cleanup utilities.
I heard that Norton Antivirus 2004 and above check for pirate key generator programs and report them as "hacker programs" or some such and then delete them.
You hit an interesting point, can the program check registrations to see if the software is pirated, and then remove it if it is pirated and report it as Spyware? Already BitDefender, a competing product, is seen as Spyware. So we see the MS tactic here to report competitors as Spyware, which makes MSAS look even better.
Think about it, Mozilla Firefox, Thunderbird, Opera, Eudora, OpenOffice.org, etc can be seen as Spyware this way, and the user is forced to use the Microsoft products that compete with them, to avoid the Spyware alerts.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
Whenever a Microsoft bashing article comes up on slashdot we need a little video song clip to come on with pasty aggressive nerds emerging from their basements in homemade rockets with the lyrics blaring: SLASHDOT! FUCK YEAH! Coming again, to save the mother fucking day yeah, SLASHDOT, FUCK YEAH! Linux is the only way yeah, Microsoft your game is through cause now you have to answer too, SLASHDOT, FUCK YEAH! So lick my slanted posting, and suck on my trolls, SLASHDOT, FUCK YEAH! What you going to do when we come for you now, it's the open-source dream that we all share; it's the hope for tomorrow. FUCK YEAH! OpenBSD, FUCK YEAH! Spybot S&D, FUCK YEAH! Beowulf CLusters, FUCK YEAH! Neil Stephenson, FUCK YEAH! MMORPG, FUCK, YEAH!
Those last 4 are all Microsoft too.
I'm the last to support MS in any way shape or form, but seeing as this is nothing but a rebranded version of Giant Anti-Spyware, and Giant Anti-Spyware was shown to have the best batting average of removing spyware why are we jumping on the bandwagon to bash it so soon without allowing it to get out of "beta" (which it really isn't, as Giant Anti-Spyware wasn't beta).
Maybe so, but it would be the cleanest, most optimized and up-to-date spyware on the planet.
This article from a few days ago dubs spyware "IT's public enemy #1" and I have to agree. I admin a small network of about 100 Windows PCs and it's such a headache. Sure, I know how to clean a machine completely... but it involves an arsenal of different programs plus a lot of by-hand work and reboots and safe-mode and such.
The problem is, there is no one effective tool. The antivirus industry has matured. Granted, Symantec might not catch EVERYTHING but what it DOES catch covers everything I've ever come across, and 99.999% of what most other people will too.
SpyBot... AdAware... SpySweeper... Giant/MS Antispyware... each catches stuff the others don't. Doesn't matter what order you run them. And I can run ALL of them, and sometimes go into HijackThis and find more spyware still lingering. Sometimes it's remnants of some spyware the tool identified but wasn't effective in completely removing. Sometimes it's an entirely NEW piece of spyware.
So what's a corporation to do? Sure, some of them offer corporate versions... but since none of the catch a reasonable amount, there's no single one worth investing that amount of money in. So what do you do... manually spend an hour ever week on each machine? x100? x1000? x10000? It's crazy.
I sincerely hope they never do charge for this product.
MS selling anti-spyware is like Goodyear selling anti-defective-tire-glue-or-something.
1.Build defective product
2.Let customer get flooded with problems
3.Instead of fixing defective product, sell customer
some kind of half working fix you bought from someone else
4.profit!!!
We should have been
So much more by now
Too dead inside
To even know the guilt
which i personally have solved at home by cresting the learning curve of *nix. yeah it's not a perfect solution by any means. but instead of chasing my tail and trying to bludgeon an ms OS into submission, i have been slowly learning how to tailor a linux based OS to my needs and wants. i'm not chasing a moving target of virus, spyware, adware or what have you. to me, joe sixpack, my choice just seems easier. oh yeah, and the free beer aspect...duh!
Serenity now, insanity later.
I've dealt with a lot of fubared systems. I've dealt with systems that were so full of nefarious DLL hooks that using the machine was literally impossible; ads would pop up, IE instances would launch instead of the action the user was trying to perform. I've dealt with systems that barely managed to boot outside of safe mode due to spyware infestation. And through all this, I've never had the holy triumvirate (AdAware, SpyBot, HijackThis) come up with more than a couple of hundred individual spyware objects. I haven't kept a particular running "high score," but I don't think I've ever seen more than 500, and I know I've never seen 1,000.
I'm not counting cookies, I'm talking about actual spyware, though cookies are often included in the "spyware" reports of popular programs. Still, I don't believe that Windows could even keep up with 56,000 cookies, let alone processes.
I'd like to see a screenshot from any spyware removal tool showing anywhere near 56,000 objects found. I simply don't think it's possible.
I've tried Microsoft Anti-Spyware, and it's really not that bad, but it does generate false positives. On my own system, among other things, it claimed to find a "WhenU SaveNow" infestation inside of a batch file with the following contents:While BearShare does arrive with stowaways like SaveNow and Weathercast, I nuke that junk manually after installation, and neither of those cretins get installed into BearShare's working directory to begin with. There is nothing in that directory infested with any sort of spyware, but MSAS really, really wanted me to quarantine or delete the batch file (along with most of the other files in the BearShare directory). It just makes me curious.
MSAS is not a bad app. I kind of like its "Tracks Eraser" feature. I wrote an app a few years ago called WinSanitizer which does a lot of that, and if I ever decide to finish it up and give it to anyone else, I might include a few of the new ideas that MSAS's "Tracks Eraser" has given me. The "System Explorers" feature is beautiful, and IMO more useful than the anti-spyware feature of the program.
Overall I'd say MSAS is one more tool for the toolbox. I wouldn't dare trust it alone any more than I trust the apps which comprise the triumvirate alone. But I hope during the beta process, they weed out the false positives.
(BTW, I presume you meant GAIN and not GAIM...
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
After burning tens of thousands of R&D hours, the brains at MS labs will be adding add a dancing, blinking magnifying glass that will pop up with the caption "I see you're trying to get rid of spyware!"
Sigs are bad for your health.
I would label all spyware tools as inefficitive, or at the very least suboptimal and flawed. I know of no tool that will autommatically remove all spyware safely and reliably, and block it form the system. I can find this technology in a virus scanner, several in fact. They have essentially a 100% detection rate, frequently updated definitions, ability to block viruses before they reach the system, and with heuristic analysis the ability to block unknown vairants.
All the spyware software is flawed in some way. The automatic software fails to completely remove all spyware. Even good ones like SPybot and Adaware fail to remove everything, in fact one often finds what the other misses. Also, sometimes when it does remove a peice of spyware, it does so in a manner that causes harm to the system (Adaware improperly removed new.net and one point and left DNS inoperable on the system). Manual ones, like Hijack This, do a much better job, but only if a skilled and knowledgable individual is operating them.
So I'd say, if MS's tool finds a lot, but not all spyware, they are on par with other good tools. It would be desirable to see it get better, and become the first to find all spyware, but you can't knock them for not totally succeding when no one else has come close.
I too deal with spyware infested systems quite a bit, and I also doubt the 56,000 number. I've never seen anything remotely close to that, but I have seen a combination of Aluria, MSAS, and Ad-Aware come up with a total of nearly 2000 objects. FWIW.
Emory: Uh..we're still..beta testing that.
Oglethorpe: What you're testing is me and my patience!