Quick review of MS AntiSpywear reputed functionality

From: Alessandro Crugnola (A.Crugnola_at_oracle.us.com)
Date: 01/09/05 

Date: Sun, 09 Jan 2005 20:12:45 GMT

Microsoft (aka GIANT) Anti-Spyware quick review
- Installation is apparenly problematic for some (such as I) ...
- But most seem to be installed within a few days of trying ...
- Judging by the help from specific Microsoft private newsgroups ...
- And from USENET NNTP public newsgroups (such as this one) ...
- After running the program four or five times, I can say ...
- The Microsoft GIANT AntiSpyware Program has multiple features ...
- For example, it searches for spyware in memory ...
- And it searches for spyware & trojans on disk ...
- It has two disk scans; Scan & "Deep Scan", whatever that is ...
- And it searches for the bad guys in the Windows registry ...
- It can also run something called a "Quick Scan" ...
- Whatever if finds, it sends to a network (if enabled) ...
- This network seems to be based on collective intelligence ...
- Unknown items can be sent to the network for analysis ...
- There is also a "Microsoft Suspected Spyware Reporting Tool" ...
- This tool is basically a manual to-be-filled form with blanks ...
- You fill out your name, email address & problem description ...
- Then you press the "Create Report" button to send it in ...
- Microsoft Giant Anti-Spyware can schedule a scan every day ...
- It can delete or quarrantine the suspected bad guy ...
- It will save the scan history if you enable that option ...
- A second major ability seems to be real-time locks ...
- The MS Giant Anti-Spywear program has 3 protection states ...
- One is called the "Internet Agent" ...
- Another is called the "System Agent" ...
- The third is called the "Application Agent" ...
- The Internet Agent activates & deactivates "checkpoints" ...
- Some IA checkpoints are WiFi Connection & Dialup Connection, ...
- Internet Safe Sites, Winsock Layered Service Providers, ...
- Windows Messenger Service, Span Zombie Protection, ...
- Internet Proxy Server, Name Server Protection, etc., ...
- For each of the above, it provides descriptive info ...
- For example, for "TCPIP Parameters", it provides ...
- TCPIP Parameters Status = Active ...
- TCPIP Parameters Description = Prevents threats from
  modifying TCPIP parameters used by windows to send and
  receive network data. TCP/IP configuration parameters are
  registry parameters that are used to configure the protocol
  driver, Tcpip.sys. Tcpip.sys implements the standard TCP/IP
  network protocols. Some spyware threats such as CoolWebSearch
  can modify these parameters and take advantage of your computer.
- For each of these "Internet Agent Checkpoints" are 4 options:
- Option 1: Activate checkpoint ...
- Option 2: Deactivate checkpoint ...
- Option 3: Manage checkpoint (allowed/blocked) ...
- Option 4: Learn about this checkpoint ...
- The first three are self explanatory;
- The fourth brings up a bit more info that stated already ...
- Likewise functionality exists in the "System Agent" ...
- Some system agent checkpoints are Windows Host File, ...
- Windows Services, Context Menu Handler, Windows System.ini File ...
- Windows Shell Open Commands, Windows Directory Trojans, ...
- Windows Extensions, Windows Win.ini File, Control.ini Policy, ...
- Ini File Mapping, Shared TaskScheduler, Winlogon Shell, ...
- Approved Shell Extensions, Shell Service Object Delay Load, ...
- User Shell Folders, Winlogon Userinit, AppInit DLLs, ...
- Explorer Trojan, Windows Password Protection, Windows Protocols ...
- Windows Update Service, Windows Restrict Anonymous, etc., ...
- For each of the above, it provides descriptive info ...
- For example, for "WOW Boot Shell", it provides ...
- WOW Boot Shell Status = Active ...
- WOW Boot Shell Description = Prevents spyware threats from
- loading a particular flie during Windows boot up.
- WOW\Boot\Shell is a Windows registry entry that will allow a
- particular program to be shelled (loaded) when Windows boots up.
- For each of these "System Agent Checkpoints" are 4 options:
- Option 1: Activate checkpoint ...
- Option 2: Deactivate checkpoint ...
- Option 3: Manage checkpoint (allowed/blocked) ...
- Option 4: Learn about this checkpoint ...
- Again, "Learn about" supplies little more than the description ...
- As noted, the third protection state is the "Application Agent" ...
- Some Application Agent checkpoints are Process Execution, ...
- Running Processes, Startup Files, Startup Registry Files, ...
- ActiveX Installations, Browser Helper Objects, Script Blocking, ...
- Internet Explorer Explorer Bars, Internet Explorer Extensions, ...
- Internet Explorer Toolbars, Internet Explorer URLs, ...
- Internet Explorer Security Settings, IE 3rd. Party Cookies, ...
- IE Plugins, IE Security Zones, IE ShellBrowser, IE Trusted Sites, ...
- IE WebBrowser, URL Search Hooks, IE Explorer Menu Extension, ...
- Disable Regedit Policy, IE Reset Web Settings, IE Restrictions, ...
- Application Restrictions, Installed Components, etc., ...
- Again, you see 4 options (activate, deactivate, manage, learn) ...
- Notice MOST of these "Application Agent Checkpoints" are IE related ...
- Since none of us use Internet Explorer (as per the US government) ...
- They won't help us much in my opinion ... and noticably lacking ...
- are Mozilla FireFox and other browser settings (drat) ...
- There are four additional so-called "Advanced Tools" ...
- The first is called the "System Explorer" ...
- The second is named the "Advanced File Analyzer" ...
- The third is labeled a "Browser Hijack Settings Restore" ...
- The fourth is a "Tracks Eraser" ...
- The System Explorer is Tweak-UI & StartUp Cop on steroids ...
- It handles three very important sets of common applications ...
- Downloaded ActiveX, Running Processes, & Startup Programs ...
- The System Explorer manages the problematic Internet Explorer ...
- Internet Explorer IE BHOs, IE Settings, IE Toolbars, ...
- The Networking part covers Winsock LSPs & the Windows Host File ...
- And the System section covers Shell Execute Hooks ...
- I think the best of the above is the explanation of all
  startup programs & running processes (finally, offline)!
- For example, the "Startup Programs" section has 5 locations ...
- The first startup location is the Registry Local Machine Run ...
- The second startup is the Registry Local Machine RunOnce ...
- The third startup location is the Registry Current User Run ...
- The fourth startup location is the Winlogon Userinit ...
- And the fifth startup location is the Winlogon Shell ...
- For each, there is a line for each program to be run ...
- And, as before, a quick description related to spyware threats ...
- Likewise for the "Running Processes" section ...
- Each of a score of processes is outlined & explained ...
- For example, "jusched.exe" was running on my system ...
- This "Running Processes" section explained the following:
- This is a known process, there are no known security issues ...
- or privacy issues with this application ...
- Even so, this "Running Processes" tool provides two options:
- Stop the process from running now ...
- Learn more about this application ...
- This time, instead of an off-line help of minor use ...
- Hitting "Learn More" brings up a port 80 call ...
- Pointed to http://www.spynet.com [216.32.240.29] ...
- Which, as has been the case, supplies nothing more than
- what was already available in the off-line description ...
- In the Advanced Tools section "Browser Hijack Restore" tool ...
- Again, it's almost exclusively Internet Explorer related ...
- There is little to nothing about the browser we actually use ...
- For example this reputedly "protects" your "Start Page" ...
- And it purportedly protects your "Local Page"; however ...
- It does so by setting to www.msn.com (which nobody uses) ...
- Likewise, it "protects" other Internet Explorer settings ...
- Such as Start Page (all users), Local Page (all users), ...
- Customize Search (all users), Search Assistant (all users), ...
- Blank Page, Desktop Navigation Failure, Navigation Canceled, ...
- Navigation Failure, Offline Information, Post Not Cached, etc. ...
- Most (if not all) of which are protected merely by setting ...
- them to a Microsoft web page (e.g., ie.search.msn.com) ...
- This Restore Hijacked IE Browser Settings has only 2 options ...
- The first is to "Change restore setting to a new URL" ...
- The other is to "Restore this setting now" (to MS defaults) ...
- The last "Advanced Tools" of interest is the "Tracks Eraser" ...
- This provides a quick means to "Erase Tracks" such as ...
- Adobe Acrobat Reader 4.0, Adobe Acrobat Reader 6.0, ...
- Microsoft Common Dialog - File/Folder Lists, ICQ, ...
- Google Toolbar History, Internet Explorer History, ...
- Internet Explorer Cookies, Kazaa Hisory, RegEdit History, ...
- IE Intelligent Forms - Auto Complete Passwords, ...
- IE URL History, Microsoft Photo Editor History, ...
- Microsoft Paint History, Microsoft Direct Draw History, ...
- Office 97 Recent Files History, Office 2000 Recent Files, ...
- Real Networks Real Player 6.0 History, Start Menu Run History, ...
- Start Menu Search History, Temporary Internet Files History, ...
- Visual Studio 6.0 History, Visual Basic 6.0 Recent Files, ...
- Windows Explorer History, Windows FTP Accounts, ...
- Windows Mapped Drives, Windows Media Player, ...
- Windows Recycle Bin, Windows Recent Documents, WinRAR Hisory, ...
- Windows Temporary Files, WinZip History, WordPad History, etc., ...
- Again, the major fault with these settings is the dire lack
- of non Microsoft tools & the inability to add them to the list ...
- In this section, there is only one option (erase or not erase).
- I guess that's two options ... but I'm getting tired.

In summary, the Microsoft AntiSpyware Beta1 tool DOES contain
many useful features ... particularly the ability to more
easily ascertain a threat and to deal with it ... but it suffers
like all Microsoft products, from the inability to handle non-MS
tools that we all use in our day-to-day activities.

Differing opinions are welcome & solicited so we all benefit.

Loading