Larry Osterman's WebLog

Confessions of an Old Fogey
Blog - Title

Microsoft Anti-Spyware

Microsoft Anti-Spyware

  • Comments 23

I don't normally do "Me Too" posts, and I know that this one will get a lot of coverage on the Microsoft blogs, but the Seattle PI blog just mentioned that the beta of Microsoft's new anti-spyware solution was just released to the web here.

I installed it on my machines at work yesterday, and it seems pretty nice so far.  Of course I didn't have any spyware for it to find (because I'm pretty darned careful, and run as a limited user), but...  It'll be interesting to run it at home, especially since Valorie (and I) like playing some of the online games (like Popcap's) that get singled out as being spyware by some tools.

 

I have no knowledge of their final product plans, so it's pointless to ask.  All I know about this is what I've read in the press.

 

  • I just gave it a quick run-through, and it seems to be pretty good; the real-time warnings ("Something's trying to add itself to the startup bit of the registry!") are something I've not seen before.

    I've only run it on two machines so far -- my laptop (clean), and my "always on, mostly used as a file-server but also used by the rest of the family for web browsing, email, etc." machine, which had a couple of nasties on it. (My girlfriend doesn't seem to be able to get to grips with Firefox, so much to my dismay I have to leave IE easily accessible. :)

    Unfortunately it also identified "WinPCap" (an open-source packet filtering tool) as spyware. While I can kind of see why this might be considered a nasty, on its own it's pretty harmless. In it's defense, though, it did set the action to take as "Ignore"...

    All in all, first impressions are good. I hope that this is going to be free in its final incarnation, and if it can be tied in to the Windows Security Center dealy perhaps fewer people will have problems in future.
  • /. picked up on WinPCap - read the exact text - it identifies that WinPCap might be spyware, because spyware uses it.

    I was actually really quite surprised by that, to be honest, it was a really intellegent thing to do.
  • Thinks Explorer.exe is spywear. The file it claims is a copy of Explorer.exe and has the same resources in it (string tables, menus) as the real Explorer.exe. It thinks it's something called little witch ftp server. I needed some files to test a For command on and copied the exes from Windows to c:\. (


    The other hit is something it claims is advertising spywear (I compiled this program myself from MS sammple code that I modified - it's a/ deleted and b/ DOES not (or didn't)serve ads - it deleted selected text from web pages.

    2 false hits from 2. That is a 100% error rate.

    I know that this isn't your fault.
  • Just to see what would happen, I ran the tool from a limited user account, before running as an administrator. First time around, it loaded the resident component but reported error 103. I then ran the tool using Run As > Administrator from the Start Menu - the icon was still in the notification area - and got error 101.

    Once you've run it once as an administrator it seems to be OK.
  • Apart from my complaints that you might have read on Channel9 (GUI sucks ass) .. I am really pleased. I have wanted a virus-scanner style anti-spyware product for a while. :)
  • "...it identifies that WinPCap might be spyware, because spyware uses it."

    I appreciate that, but if it finds no spyware that *does* use it, then IMHO it shouldn't really flag it. After all, IE, WSH, etc., can be used by spyware, and those don't get picked up! (David's problem notwithstanding.)

    Ran it on two more machines and compared the results to AdAware -- they both picked up exactly the same problems, which bodes well.
  • Identified Sporder.dll in the system32 dir as "severe" spyware. Not sure what app installed it, but I shouldn't have any spyware on this machine. Spybot S&D picked up around 5 routine cookies, no mention of the dll. It appears the dll is a valid library for some apps, but can be used maliciously by others. Not wise for MS to include it without some notation.
  • "...it identifies that WinPCap might be spyware, because spyware uses it."

    I wonder what version of winpcap/ms anti spyware you are using. I've got winpcap 3.0 on XP and ms anti-spyware doesn't identify it as spyware. The Spyware Definitions are 5680.

    On the other hand ms anti-spyware has detected nothing on my machine. After reading all of these false positive reports I really wonder what I've done wrong with my installation of ms anti-spyware :)
  • The only thing it found on my machine was RealVNC. I'd appreciate that an unwanted VNC server could be a sign of spyware, but I only installed the client to remote onto my Mac.

    Other than that I really like it, and I was very impressed by the comprehensive approach Microsoft appears to be taking judgeing by the article here.
    http://www.microsoft.com/athome/security/spyware/strategy.mspx
  • sporder.dll (and its sporder.exe frontend) is a util for checkin and changing the Winsock provider order. It has legitimate uses (for example, ISA2000 client uses it), but some spyware use it too (WebHancer). I also think it should be off the list.
  • Let us assume for the moment that I am not a power-user and instead some reasonably intelligent user who understands that spyware could be a problem on my machine. Would I rather have a spyware detector tell me:
    1) something has the potential of being a problem, but isn't currently, or
    2) not tell me about a potential problem?

    If the program tells me I don't have any problems, I go off in gleeful ignorance so in my opinion, that's the wrong answer.

    If the program tells me I could have a problem, but don't currently, then I have the opportunity to be an idiot and delete on fear or I can stay rational and find out more information about the potential problems. I would venture to say that googling the potential problem will garner me a great deal of information upon which I could make my decision.

    In my opinion, spyware aps are designed for an intelligent, rational user. The ones I have tried thus far fail miserably on that account. They either provide way too many warnings that are unintelligble to the average intelligent user or they seem to encourage one to be an idiot and delete on fear.

    I appreciate that you all are very knowledgable about the internals of what exactly is on your machine. I would imagine that use of any anti-spyware application serves merely to reinforce that you have no surprises.

    For the average, intelligent user, anti-spyware applications need to serve as a line of defense against the unknown. I may not know what dangers I may encounter when I go out, but the more I know about what kinds of dangers are out there, the more prepared I am to counteract them.

    As usual, my warped ideas merely embarrass Larry and have no relationship to his own ideas other than to provide dinner conversation.
  • The problem with "potential problems" is that most users (our moms, grandmas, cousins, friends) tend to ignore what's said and just "click through" whatever error messages they see. This can have huge complications if it's not done correctly but trying to "learn" these people to READ THEIR SCREENS is a feat in and of itself.

    If it finds WinPCap in the default directory and produces an error, I think that's wrong. Any decently computer-literate user could see the WinPCap entry in Program Files and remove or delete it if they're wondering what it is. If WinPCap shows up under some obscure directory like "My Web Search" or some equally weird name THEN it should pop up with nice flashy warnings saying "Hey, you probably have spyware because this packet sniffing tool isn't where it should be, it's under some spyware like directory. Should I remove it? Yes/No/Remind Me Later"

    The Wife:
    "I would venture to say that googling the potential problem will garner me a great deal of information upon which I could make my decision."

    That's EXACTLY what I do when I find anything. I want to know what the heck I'm looking at and there's tons of people posting questions about many of the same applications we run. Not doing so seems foolish for anyone who gets a virus/spyware/malware/etc.

    The cool part about Adaware was that it took a snapshot of what you were doing so that you could revert back if you did something wrong. It saved my butt from a jam where my network settings were disabled from some winsock infecting spyware. I had to restore the spyware to get onto the network, but I got the fix and was able to patch it without any major damage. If Microsoft's Anti-Spyware doesn't include something like this, they should do it before it goes 1.0. This will help those paranoid "delete first, ask questions later" from ruining their systems or part of their systems.

    Mike:
    "Once you've run it once as an administrator it seems to be OK."

    That's true for a lot of applications. Its probably because it needs some files created in C:\Program Files\ that normally can't be created as a limited user. The alternative might be to grant your user or users write access to the directory to see if it works. I typically do this anyway for programs that are that anal. It could also be that it needed to create keys in HKEY_LOCAL_MACHINE which can't be created by a limited user, period. Most of the time when you need to run it as administrator it usually is because of the registry and not so much the Program Files folder.
  • Microsoft AntiSpyware does include the snapshot feature, it just plugs into SystemRestore which is already part of XP. You can tick a box to create a new snapshot before you let it make any changes to the system.
  • Most wifes I know refuse to read their husband's writings for any reason. I'm good looking, no beard, with hair on top of my head rather than my chin. Leave larry and come to me.
  • And I think MSFT move into AntiSpyware/AntiVirus market is completely outrageous thing to do and will eventually will cause AntiTrust case to be back in a couple of years. <br>MSFT is just writing: “please sue me”… <br>This is absolutely out of control!: the same company first creates security holes and then fixes them… Ever lived in socialism? I did… <br>Amazing! Only in America! <br>
Page 1 of 2 (23 items) 12