Re: [Full-Disclosure] Microsoft AntiSpyware - First Impressions

From: Mary Landesman (mlande_at_bellsouth.net)
Date: 01/10/05

  • Next message: Christian: "Re: [Full-Disclosure] Linux kernel uselib() privilege elevation, corrected"
    To: <full-disclosure@lists.netsys.com>
    Date: Sun, 9 Jan 2005 20:20:23 -0500
    
    

    Running a competing product after a scan from another simply determines
    whether the second product will false positive on leftover benign registry
    keys, folders, etc. Yes, it would be *nice* if all remants were removed, but
    that's not the reality with any of these products. Oftentimes, these
    so-called 'infections' are empty folders or leftover registry keys that no
    longer have a file associated with them. The false postive rates in these
    products are extremely high and, I believe, lead to a perception that
    adware/spyware is much more prevalent than it really is.

    The real indicator is whether all active components of the infection are
    removed. To do this requires isolating the startup vectors, active
    processes, services, etc. and determining whether the product(s) being
    tested effectively removes those. In other words, is the infection
    effectively neutered such that it will no longer load/run?

    Also, each of these products reports differently. For example, Ad-Aware
    counts every individual key, file and folder as an 'object' whereas
    Microsoft AntiSpyware and several others more conservatively (and I feel,
    more accurately) group keys, files, and folders associated with a specific
    adware/spyware as a single detection (in much the same manner as virus
    scanners do).

    I used the 'active' criteria described above to test MS AntiSpyware against
    180 Solutions, Avenue Media, BargainBuddy, BonziBuddy, Claria,
    CoolWebSearch, Cydoor, Dashbar, Exact Searchbar, Hotbar, Huntbar (WinTools),
    Internet Optimizer, IST.SlotchBar, NEO, Troj_StartPage, WebSearch,
    WhenUSearch, WinTools, Xrenoder, and Zango Search Assistant.

    In my tests, MS AntiSpyware removed 91% of all active/startup components
    compared to Ad-Aware at 65% and Spybot at 55%. I also broke it down by
    category; MS AntiSpyware removed/corrected:

    96% of processes running in memory
    67% of start/search page modifications
    100% of BHO/Toolbars
    95% of startup vectors
    100% of other (buttons/menu items, etc)

    Interesting, though, that even though we used different criteria, the
    results are the same - MS AntiSpyware provides better detection. (It is
    important to note that CounterSpy uses the same Giant technology. In fact,
    many of the bugs/results being reported with MS AntiSpyware are also true of
    CounterSpy).

    You can read my full review at:
    http://antivirus.about.com/od/antivirussoftwarereviews/a/msantispy.htm

    For those who don't want to be bothered with the ads, the most important
    part of my review has already been posted in this message.

    -- Mary

    ----- Original Message -----
    From: "jerome.athias" <jerome.athias@free.fr>
    To: <full-disclosure@lists.netsys.com>
    Sent: Sunday, January 09, 2005 4:38 AM
    Subject: RE: [Full-Disclosure] Microsoft AntiSpyware - First Impressions

    You could be interested by an article so called "MS AntiSpyware vs Ad-Aware
    vs SpyBot"

    http://www.flexbeta.net/main/articles.php?action=show&id=84&perpage=1&pagenu
    m=1

    Regards,
    Jerome

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Christian: "Re: [Full-Disclosure] Linux kernel uselib() privilege elevation, corrected"

    Relevant Pages

    • RE: [Full-Disclosure] Microsoft AntiSpyware - First Impressions
      ... Thank you for the thorough examination and excellent review. ... Microsoft AntiSpyware - First Impressions ... keys, folders, etc. ... The real indicator is whether all active components of the infection are ...
      (Full-Disclosure)
    • Re: Start Menu Context Menu Problems
      ... [\AVG Shell Extension] ... After removing these two parent keys, ... Users" context menu options for shortcut folders under ... AVG anti virus is ...
      (microsoft.public.windowsxp.configuration_manage)
    • RE: EnumKey vs EnumValue
      ... EnumValue enumerates values only. ... before, the folders are the subkeys, but the values are the name, type, ... the keys are the folders and the values are the names. ... Subject: EnumKey vs EnumValue ...
      (comp.lang.python)
    • Re: How to move Public user area to another drive?
      ... I've looked throught the registry and found relevant looking entries ... Folders ... In those places I can find keys relating to 'Music' 'Pictures' ... no 'Downloads' in 'Public' by default? ...
      (microsoft.public.windows.vista.general)
    • Re: Registry
      ... I figure, they put together the installer, they put the keys ... and folders where they are, so they clearly have a record of where they've ... I always use a three step uninstall process. ...
      (microsoft.public.windowsxp.general)