Quick review of MS AntiSpywear reputed functionality

From: Alessandro Crugnola (A.Crugnola_at_oracle.us.com)
Date: 01/09/05 

Date: Sun, 09 Jan 2005 20:12:45 GMT

Microsoft (aka GIANT) Anti-Spyware quick review
- Installation is apparenly problematic for some (such as I) ...
- But most seem to be installed within a few days of trying ...
- Judging by the help from specific Microsoft private newsgroups ...
- And from USENET NNTP public newsgroups (such as this one) ...
- After running the program four or five times, I can say ...
- The Microsoft GIANT AntiSpyware Program has multiple features ...
- For example, it searches for spyware in memory ...
- And it searches for spyware & trojans on disk ...
- It has two disk scans; Scan & "Deep Scan", whatever that is ...
- And it searches for the bad guys in the Windows registry ...
- It can also run something called a "Quick Scan" ...
- Whatever if finds, it sends to a network (if enabled) ...
- This network seems to be based on collective intelligence ...
- Unknown items can be sent to the network for analysis ...
- There is also a "Microsoft Suspected Spyware Reporting Tool" ...
- This tool is basically a manual to-be-filled form with blanks ...
- You fill out your name, email address & problem description ...
- Then you press the "Create Report" button to send it in ...
- Microsoft Giant Anti-Spyware can schedule a scan every day ...
- It can delete or quarrantine the suspected bad guy ...
- It will save the scan history if you enable that option ...
- A second major ability seems to be real-time locks ...
- The MS Giant Anti-Spywear program has 3 protection states ...
- One is called the "Internet Agent" ...
- Another is called the "System Agent" ...
- The third is called the "Application Agent" ...
- The Internet Agent activates & deactivates "checkpoints" ...
- Some IA checkpoints are WiFi Connection & Dialup Connection, ...
- Internet Safe Sites, Winsock Layered Service Providers, ...
- Windows Messenger Service, Span Zombie Protection, ...
- Internet Proxy Server, Name Server Protection, etc., ...
- For each of the above, it provides descriptive info ...
- For example, for "TCPIP Parameters", it provides ...
- TCPIP Parameters Status = Active ...
- TCPIP Parameters Description = Prevents threats from
  modifying TCPIP parameters used by windows to send and
  receive network data. TCP/IP configuration parameters are
  registry parameters that are used to configure the protocol
  driver, Tcpip.sys. Tcpip.sys implements the standard TCP/IP
  network protocols. Some spyware threats such as CoolWebSearch
  can modify these parameters and take advantage of your computer.
- For each of these "Internet Agent Checkpoints" are 4 options:
- Option 1: Activate checkpoint ...
- Option 2: Deactivate checkpoint ...
- Option 3: Manage checkpoint (allowed/blocked) ...
- Option 4: Learn about this checkpoint ...
- The first three are self explanatory;
- The fourth brings up a bit more info that stated already ...
- Likewise functionality exists in the "System Agent" ...
- Some system agent checkpoints are Windows Host File, ...
- Windows Services, Context Menu Handler, Windows System.ini File ...
- Windows Shell Open Commands, Windows Directory Trojans, ...
- Windows Extensions, Windows Win.ini File, Control.ini Policy, ...
- Ini File Mapping, Shared TaskScheduler, Winlogon Shell, ...
- Approved Shell Extensions, Shell Service Object Delay Load, ...
- User Shell Folders, Winlogon Userinit, AppInit DLLs, ...
- Explorer Trojan, Windows Password Protection, Windows Protocols ...
- Windows Update Service, Windows Restrict Anonymous, etc., ...
- For each of the above, it provides descriptive info ...
- For example, for "WOW Boot Shell", it provides ...
- WOW Boot Shell Status = Active ...
- WOW Boot Shell Description = Prevents spyware threats from
- loading a particular flie during Windows boot up.
- WOW\Boot\Shell is a Windows registry entry that will allow a
- particular program to be shelled (loaded) when Windows boots up.
- For each of these "System Agent Checkpoints" are 4 options:
- Option 1: Activate checkpoint ...
- Option 2: Deactivate checkpoint ...
- Option 3: Manage checkpoint (allowed/blocked) ...
- Option 4: Learn about this checkpoint ...
- Again, "Learn about" supplies little more than the description ...
- As noted, the third protection state is the "Application Agent" ...
- Some Application Agent checkpoints are Process Execution, ...
- Running Processes, Startup Files, Startup Registry Files, ...
- ActiveX Installations, Browser Helper Objects, Script Blocking, ...
- Internet Explorer Explorer Bars, Internet Explorer Extensions, ...
- Internet Explorer Toolbars, Internet Explorer URLs, ...
- Internet Explorer Security Settings, IE 3rd. Party Cookies, ...
- IE Plugins, IE Security Zones, IE ShellBrowser, IE Trusted Sites, ...
- IE WebBrowser, URL Search Hooks, IE Explorer Menu Extension, ...
- Disable Regedit Policy, IE Reset Web Settings, IE Restrictions, ...
- Application Restrictions, Installed Components, etc., ...
- Again, you see 4 options (activate, deactivate, manage, learn) ...
- Notice MOST of these "Application Agent Checkpoints" are IE related ...
- Since none of us use Internet Explorer (as per the US government) ...
- They won't help us much in my opinion ... and noticably lacking ...
- are Mozilla FireFox and other browser settings (drat) ...
- There are four additional so-called "Advanced Tools" ...
- The first is called the "System Explorer" ...
- The second is named the "Advanced File Analyzer" ...
- The third is labeled a "Browser Hijack Settings Restore" ...
- The fourth is a "Tracks Eraser" ...
- The System Explorer is Tweak-UI & StartUp Cop on steroids ...
- It handles three very important sets of common applications ...
- Downloaded ActiveX, Running Processes, & Startup Programs ...
- The System Explorer manages the problematic Internet Explorer ...
- Internet Explorer IE BHOs, IE Settings, IE Toolbars, ...
- The Networking part covers Winsock LSPs & the Windows Host File ...
- And the System section covers Shell Execute Hooks ...
- I think the best of the above is the explanation of all
  startup programs & running processes (finally, offline)!
- For example, the "Startup Programs" section has 5 locations ...
- The first startup location is the Registry Local Machine Run ...
- The second startup is the Registry Local Machine RunOnce ...
- The third startup location is the Registry Current User Run ...
- The fourth startup location is the Winlogon Userinit ...
- And the fifth startup location is the Winlogon Shell ...
- For each, there is a line for each program to be run ...
- And, as before, a quick description related to spyware threats ...
- Likewise for the "Running Processes" section ...
- Each of a score of processes is outlined & explained ...
- For example, "jusched.exe" was running on my system ...
- This "Running Processes" section explained the following:
- This is a known process, there are no known security issues ...
- or privacy issues with this application ...
- Even so, this "Running Processes" tool provides two options:
- Stop the process from running now ...
- Learn more about this application ...
- This time, instead of an off-line help of minor use ...
- Hitting "Learn More" brings up a port 80 call ...
- Pointed to http://www.spynet.com [216.32.240.29] ...
- Which, as has been the case, supplies nothing more than
- what was already available in the off-line description ...
- In the Advanced Tools section "Browser Hijack Restore" tool ...
- Again, it's almost exclusively Internet Explorer related ...
- There is little to nothing about the browser we actually use ...
- For example this reputedly "protects" your "Start Page" ...
- And it purportedly protects your "Local Page"; however ...
- It does so by setting to www.msn.com (which nobody uses) ...
- Likewise, it "protects" other Internet Explorer settings ...
- Such as Start Page (all users), Local Page (all users), ...
- Customize Search (all users), Search Assistant (all users), ...
- Blank Page, Desktop Navigation Failure, Navigation Canceled, ...
- Navigation Failure, Offline Information, Post Not Cached, etc. ...
- Most (if not all) of which are protected merely by setting ...
- them to a Microsoft web page (e.g., ie.search.msn.com) ...
- This Restore Hijacked IE Browser Settings has only 2 options ...
- The first is to "Change restore setting to a new URL" ...
- The other is to "Restore this setting now" (to MS defaults) ...
- The last "Advanced Tools" of interest is the "Tracks Eraser" ...
- This provides a quick means to "Erase Tracks" such as ...
- Adobe Acrobat Reader 4.0, Adobe Acrobat Reader 6.0, ...
- Microsoft Common Dialog - File/Folder Lists, ICQ, ...
- Google Toolbar History, Internet Explorer History, ...
- Internet Explorer Cookies, Kazaa Hisory, RegEdit History, ...
- IE Intelligent Forms - Auto Complete Passwords, ...
- IE URL History, Microsoft Photo Editor History, ...
- Microsoft Paint History, Microsoft Direct Draw History, ...
- Office 97 Recent Files History, Office 2000 Recent Files, ...
- Real Networks Real Player 6.0 History, Start Menu Run History, ...
- Start Menu Search History, Temporary Internet Files History, ...
- Visual Studio 6.0 History, Visual Basic 6.0 Recent Files, ...
- Windows Explorer History, Windows FTP Accounts, ...
- Windows Mapped Drives, Windows Media Player, ...
- Windows Recycle Bin, Windows Recent Documents, WinRAR Hisory, ...
- Windows Temporary Files, WinZip History, WordPad History, etc., ...
- Again, the major fault with these settings is the dire lack
- of non Microsoft tools & the inability to add them to the list ...
- In this section, there is only one option (erase or not erase).
- I guess that's two options ... but I'm getting tired.

In summary, the Microsoft AntiSpyware Beta1 tool DOES contain
many useful features ... particularly the ability to more
easily ascertain a threat and to deal with it ... but it suffers
like all Microsoft products, from the inability to handle non-MS
tools that we all use in our day-to-day activities.

Differing opinions are welcome & solicited so we all benefit.

Relevant Pages

  • Re: Probable spyware problem
    ... > when i open the internet explorer, and is causing the google, yahoo ... Microsoft has these suggestions for Protecting your computer from the ... keep it clean,secure and running at its top performance mark. ... I'll mainly work around Windows XP, as that is what the bulk of this ...
    (microsoft.public.windowsxp.security_admin)
  • Re: regedit
    ... >> internet explorer has always been set with that link as default.I ... > Microsoft has these suggestions for Protecting your computer from the ... > keep it clean,secure and running at its top performance mark. ... > I'll mainly work around Windows XP, as that is what the bulk of this ...
    (microsoft.public.windowsxp.general)
  • Quick review of MS AntiSpywear reputed functionality
    ... Judging by the help from specific Microsoft private newsgroups ... ... And it searches for the bad guys in the Windows registry ... ... It will save the scan history if you enable that option ... ... Internet Explorer Explorer Bars, Internet Explorer Extensions, ... ...
    (alt.computer.security)
  • Quick review of MS AntiSpywear reputed functionality
    ... Judging by the help from specific Microsoft private newsgroups ... ... And it searches for the bad guys in the Windows registry ... ... It will save the scan history if you enable that option ... ... Internet Explorer Explorer Bars, Internet Explorer Extensions, ... ...
    (microsoft.public.security)
  • Re: XP BS
    ... So you bought a computer in the year 2003 with Windows '98 installed on it? ... Yes - the last two install from the web - but they are safe. ... Unwanted history of every website you visit? ... In Internet Explorer, on the Tools menu, click Internet Options. ...
    (microsoft.public.windowsxp.basics)