RE: [Full-Disclosure] Microsoft AntiSpyware - First Impressions

From: James Patterson Wicks (pwicks_at_oxygen.com)
Date: 01/10/05

  • Next message: Henrik Persson: "Re: [Full-Disclosure] Linux kernel uselib() privilege elevation, corrected"
    Date: Sun, 9 Jan 2005 20:53:57 -0500
    To: "Mary Landesman" <mlande@bellsouth.net>, full-disclosure@lists.netsys.com
    
    

    Thank you for the thorough examination and excellent review. Your
    timely information will provide more than enough data for senior
    management to sign off on a limited deployment of the beta. Since my
    company has such a liberal surfing policy, deploying this tool to the
    problem users (the "why do I keep getting popup ads" group) should
    reduce the amout of time that the helpdesk spends cleaning systems. We
    also do not have to worry about violating LavaSoft licensing by using
    Ad-Aware SE within the enterprise.

    -----Original Message-----
    From: full-disclosure-bounces@lists.netsys.com
    [mailto:full-disclosure-bounces@lists.netsys.com] On Behalf Of Mary
    Landesman
    Sent: Sunday, January 09, 2005 8:20 PM
    To: full-disclosure@lists.netsys.com
    Subject: Re: [Full-Disclosure] Microsoft AntiSpyware - First Impressions

    Running a competing product after a scan from another simply determines
    whether the second product will false positive on leftover benign
    registry
    keys, folders, etc. Yes, it would be *nice* if all remants were removed,
    but
    that's not the reality with any of these products. Oftentimes, these
    so-called 'infections' are empty folders or leftover registry keys that
    no
    longer have a file associated with them. The false postive rates in
    these
    products are extremely high and, I believe, lead to a perception that
    adware/spyware is much more prevalent than it really is.

    The real indicator is whether all active components of the infection are
    removed. To do this requires isolating the startup vectors, active
    processes, services, etc. and determining whether the product(s) being
    tested effectively removes those. In other words, is the infection
    effectively neutered such that it will no longer load/run?

    Also, each of these products reports differently. For example, Ad-Aware
    counts every individual key, file and folder as an 'object' whereas
    Microsoft AntiSpyware and several others more conservatively (and I
    feel,
    more accurately) group keys, files, and folders associated with a
    specific
    adware/spyware as a single detection (in much the same manner as virus
    scanners do).

    I used the 'active' criteria described above to test MS AntiSpyware
    against
    180 Solutions, Avenue Media, BargainBuddy, BonziBuddy, Claria,
    CoolWebSearch, Cydoor, Dashbar, Exact Searchbar, Hotbar, Huntbar
    (WinTools),
    Internet Optimizer, IST.SlotchBar, NEO, Troj_StartPage, WebSearch,
    WhenUSearch, WinTools, Xrenoder, and Zango Search Assistant.

    In my tests, MS AntiSpyware removed 91% of all active/startup components
    compared to Ad-Aware at 65% and Spybot at 55%. I also broke it down by
    category; MS AntiSpyware removed/corrected:

    96% of processes running in memory
    67% of start/search page modifications
    100% of BHO/Toolbars
    95% of startup vectors
    100% of other (buttons/menu items, etc)

    Interesting, though, that even though we used different criteria, the
    results are the same - MS AntiSpyware provides better detection. (It is
    important to note that CounterSpy uses the same Giant technology. In
    fact,
    many of the bugs/results being reported with MS AntiSpyware are also
    true of
    CounterSpy).

    You can read my full review at:
    http://antivirus.about.com/od/antivirussoftwarereviews/a/msantispy.htm

    For those who don't want to be bothered with the ads, the most important
    part of my review has already been posted in this message.

    -- Mary

    ----- Original Message -----
    From: "jerome.athias" <jerome.athias@free.fr>
    To: <full-disclosure@lists.netsys.com>
    Sent: Sunday, January 09, 2005 4:38 AM
    Subject: RE: [Full-Disclosure] Microsoft AntiSpyware - First Impressions

    You could be interested by an article so called "MS AntiSpyware vs
    Ad-Aware
    vs SpyBot"

    http://www.flexbeta.net/main/articles.php?action=show&id=84&perpage=1&pa
    genu
    m=1

    Regards,
    Jerome

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

    This e-mail is the property of Oxygen Media, LLC. It is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential, or otherwise protected from disclosure. Distribution or copying of this e-mail or the information contained herein by anyone other than the intended recipient is prohibited. If you have received this e-mail in error, please immediately notify us by sending an e-mail to postmaster@oxygen.com and destroy all electronic and paper copies of this e-mail.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Henrik Persson: "Re: [Full-Disclosure] Linux kernel uselib() privilege elevation, corrected"

    Relevant Pages

    • Re: [Full-Disclosure] Microsoft AntiSpyware - First Impressions
      ... keys, folders, etc. ... so-called 'infections' are empty folders or leftover registry keys that no ... The real indicator is whether all active components of the infection are ... I used the 'active' criteria described above to test MS AntiSpyware against ...
      (Full-Disclosure)
    • More good stuff in Delphi
      ... February 22nd's PC Magazine has a review of antispyware ... applications. ...
      (borland.public.delphi.non-technical)
    • Re: Favorites Folder Empty
      ... I just installed MS antispyware also and have ... I've had the folders in windows\favorites for a long time. ... I also have Norton ...
      (microsoft.public.windows.inetexplorer.ie6.browser)
    • Re: Favorites Folder Empty
      ... you download this it is in the Internet Explorer Files and folders section. ... Frank ... > I also have recently installed the microsoft antispyware beta version. ... I also have Norton ...
      (microsoft.public.windows.inetexplorer.ie6.browser)
    • MS Antispyware Messing up My Documents Redirection
      ... I set up Folder Redirection. ... the Antispyware checks for a change in "user shell ... folders", the My Documents points to the wrong location. ...
      (microsoft.public.windows.server.sbs)