In-Depth

Spyware Meets Its Match -- Almost

Microsoft's anti-spyware tool works well enough, but some readers question its categorization and detection capabilities.

Spyware is here with a vengeance. A recent study by research firm IDC revealed that more than two-thirds of the world's workplace computers are infected with some form of spyware or malware. This translates into untold hours of frustration, lost productivity and serious security risks.

In fact, the 600 global organizations surveyed for the November 2004 study rated spyware as the fourth greatest threat to enterprise network security, which led IDC to predict that anti-spyware software revenue will grow to $305 million in 2008, up from $12 million in 2003.

Those kinds of numbers don't go unnoticed at Microsoft. Last December, the company bought anti-spyware firm Giant Software. Microsoft quickly repurposed Giant's tool, renamed it and released it as a free beta. (While Microsoft initially renamed it Windows AntiSpyware, at press time it had renamed it again to Windows Defender.) By most accounts, Microsoft Windows AntiSpyware works well. It sports Giant's admired spyware detection features, and leverages an inside line on Windows to make spyware removal and cleanup efficient and stable.

"It's Microsoft-made, so it knows how to remove something when it finds it," says Neal Zimmerman, northeastern field services manager at a nationwide education firm. Zimmerman's company has rolled out the beta to more than 3,000 Windows XP and 2000 machines. "It knows all the registry keys to look in and knows all the DLL associations, so it can rebuild things properly."

Most users find Microsoft's tool is reliable for detecting spyware. Nawar Aljanabi, senior systems administrator at Sierra Systems Group in Vancouver, British Columbia, has it installed on both his home and work machines. He also uses other detection tools like Lavasoft's Ad-Aware and Webroot Software's Spy Sweeper. "I like to compare the results between Microsoft's and the other third-party tools," he says, "but it catches the same ones the others do."

Microsoft Windows
AntiSpyware Beta (Now called Windows Defender)

Free to currently licensed Windows customers
Microsoft Corp.
800-426-9400
www.microsoft.com

William Felton agrees with that assessment. "I've been thrilled with it," says Felton, a network specialist for the Des Moines Public Schools in Des Moines, Iowa. "I tried it on two machines here and at home. It's been flawless."

Windows AntiSpyware's full feature set is what most impresses Dave Stambaugh, a systems administrator at Cleveland, Ohio-based Gallo Displays. "I think it's a very well-rounded product," he says. "It has a lot of features that let you delve into things that normally users wouldn't know about, like browser helper objects."

Giant Steps
Not all users are convinced. Richard Schulman, IT director at Kidde Fire Fighting in Exton, Pa., spent most of 2004 searching for a comprehensive anti-spyware tool to roll out to his company's 200 XP workstations. He eventually discovered Giant Software. "I had tried a number of other products. Then I found Giant, installed it on my home computer and thought it was great," he says. When he went back to purchase the tool, he learned that Giant had been bought by Microsoft.

Schulman was hoping for a single solution to root out spyware, and thought he had found it in Giant's tool. "The Giant product seemed to do it—until Microsoft bought it," he says. "Usually, Microsoft will buy a product and then make it better. This seems to be a product they bought and made it worse."

Schulman plans to remove the tool from his home systems, and has scrapped plans for a company-wide rollout. "At this point there would be no reason for me to roll it out at work because it honestly doesn't do anything," he says.

Felton says his version of Windows AntiSpyware has grown disconcertingly quiet of late, but the tool worked well during testing. He recently used it to visit a "crack" site—a site notorious for passing along virus and spyware infections.

Felton configured a machine with Windows XP Service Pack 2, Symantec's Norton AntiVirus and Windows AntiSpyware. Then he visited the site. "It came up rapid fire that my machine was being attacked," he says. "Symantec caught one virus attempt, Service Pack 2 kept the pop-ups from coming up, and the AntiSpyware detected about a dozen or so spyware attempts. It caught everything, so I know it's working."

Interface Issues
Microsoft would do well to rework the interface so all of its features and capabilities are more obvious and readily accessible, says James Clemens II. For example, while it's relatively straightforward to run a quick scan with Microsoft Windows AntiSpyware, executing a more in-depth scan requires paging through a couple of screens. "The quick scan does nothing that I can see," says Clemens, publisher at Micaspecialties.org, a computer security consultancy in Panama City, Fla. "If you don't set it up to do a full scan, you're likely to miss things. And I've run into a lot of people who weren't even aware that the full scan exists." While the scanning capabilities are indeed there, that quirk could lead to fewer spyware detections.

Other features that Clemens appreciates, although he wishes they were easier to find, are its ability to investigate browser helper objects—plug-ins installed by some forms of spyware—and the fact that it will restore browser settings hijacked by malware or spyware. "It has a lot of great features, but they're buried. If you don't know they're there, you might not realize it," he says.

Another reason some users may have missed spyware incidents with Microsoft Windows AntiSpyware is that updates tend to be sporadic. "Some machines don't pull down the AntiSpyware updates, even when they're set to automatically keep the signatures updated," says Pete Salak, an IT engineer at LAN Services LLC in San Jose, Calif.

The manner in which Windows AntiSpyware categorizes some spyware and malware could also lead to reduced detection For example, it recommends that you allow certain instances of spyware, such as software from Claria Corp. You can still block Claria software, but uninformed users may automatically follow Microsoft's recommendation, which could lead to problems. That categorization gaffe led to such user outcry that Microsoft was forced to post this explanation: www.microsoft.com/athome/security/spyware/software/claria_letter.mspx.

With those issues in mind, most users agree that the best way to fend off spyware is to run multiple anti-spyware tools. "You'll never catch everything with just one anti-spyware program, whether it's Microsoft, Ad-Aware, Spybot-Search & Destroy or Webroot," says Stambaugh. "They all do good jobs, but for some reason, one tool can't catch everything. It's common knowledge that you should definitely run more than one."

5 Common Gripes: Windows AntiSpyware
Categorization Confusion: Microsoft shouldn't recommend that users allow Claria or any other software that acts like spyware.

Flaky Updates: When machines are set up to automatically pull down AntiSpyware updates, some do and some don't. Updates need to be more consistent.

Muddy Interface: The tool contains several important features that are buried and difficult to find.

More Admin Controls: Windows AntiSpyware needs more administrative-level controls so administrators can set block lists, lock it down and hook into other tools like SMS.

Dearth of Support: Windows AntiSpyware runs on XP and 2000 machines. Users say they would like to see it run on Windows 98 machines as well.

— J.C.

In Control
Perhaps the biggest change users would like to see is more administrative-level controls to make AntiSpyware easier to deploy and manage in a corporate setting. For example, Felton says he can not roll out the software to his school district because the school's network operates behind a proxy. "The tool can't cross the proxy to get updates," he says.

Others would like more control over what Windows AntiSpyware allows and does not allow. Right now, when it detects spyware, Windows AntiSpyware prompts you to either allow or block the attempt. "Uneducated users may choose to allow something they shouldn't or choose to block something that they should allow," says Zimmerman.

This became a problem at his company, especially when Windows AntiSpyware detected logon scripts. "The first time we used it some users saw the pop-up about the logon scripts and didn't know what to do. They ended up blocking them, and we had to go in and reset all the settings."

Although most users say they're happy with Windows Antispyware, many have yet to roll it out to every machine in their network because it is still in beta. "It's been in beta for eight or nine months now, which is a long time for a beta," says Stambaugh. "They need to get it out."

Clemens says Microsoft has told him it will release Windows AntiSpyware in December and that it will remain free to consumers. He has also heard it will be rolled into Microsoft's upcoming OneCare toolset, as well as being part of Windows Vista when that debuts sometime next year. "It will be free for consumers, but it will also be available in corporate versions in OneCare and Windows Vista—and Microsoft may charge for that," he says, adding that the extra functionality and administrative controls would be worth it. "I'd pay for that," he says.

comments powered by Disqus

Reader Comments:

Fri, Jan 23, 2009 Anonymous Anonymous

lavidjio

Sun, Jun 11, 2006 Lisa T. Ney York

This was very helpful. Maybe you can do another story on the remake, Windows Defender?

Tue, Dec 20, 2005 Al Milwaukee

I was infected about two months ago and Trend OfficeScan was of very limited help. I immediately disconnected from the LAN and isolated the issue to a newly installed system32 file and a couple of registry changes. One of our technicians suggested the Microsoft AntiSpyware beta. It correctly identified the malware and removed it from other people's machines and I was able to confirm that it performed the same actions I manually did. Note, as a company we continue to use OfficeScan but, as one person mentioned, I no longer trust it as my sole protection. Schulman's statement (from the article) about MS AntiSpyware not doing anything doesn't seem to make sense based on my results and what others have reported.

Sun, Dec 18, 2005 Stacy D. Anonymous

Well written!

Wed, Dec 14, 2005 integrationarchitect Florida

I failed to mention that for larger firms with EPO or Trend DCS spyware is under control. The real problem is for smaller firms with less than 500 PCs with limited bugets and IT staff. The free Windows tools are a good start if they keep up to date, and you have to babysit these updates and run night scans etc.

I know IT staff and Directors at several >500 pc firms and they all say SPYWARE is worse than VIRUS because they are able to stop VIRUS at the SMTP/Exchange Scanmail email gateway very good, but as well from XP desktops. Most users have to open ACTIVE X default security and turn off pop up blocker in order to do normal online things like track a package or view a billing statement so this gets them infected with spyware. Spyware is more of a problem than VIRUS unless they have some other 3rd party antispyware product installed and properly configured, and that takes IT department time.

Wed, Dec 14, 2005 integrationarchitect Florida

I also run TREND MICRO PCCILLIN with Internet Security Suite 2006 [stand alone w/daily autoupdate] that schedules new downloads, a daily AV sweep and seperate Spyware sweep each day. This product is also available in the Office Scan Corporate [centrally managed edition] and it includes Damage Cleanup Services to automatically restore an infected system to pre spyware condition.

I have used Trend to repair other infected systems that could not be otherwise recovered from Symantec Antispyware missed problems, or I would have to otherwise format the PC's and reinstall XP or 2003 Server. This is never a problem once Trend is installed.

I like the MS Antispyware free tools but it they do not go down low like, lock all host files, lock homepage, unload web browser if hack is attempted like Trend's internet security sweep does.

You can do many of those lock settings with GPO domain mandatory machine polices too, but that can slow down network logon if they are not done very carefully.

I am waiting for Vista to see if things can be locked first and only opened up later instead of the reverse. Active X is powerfull and great for web apps but a real problem unless you have a properly configured 3rd party tool like trend to protect the client.

Mon, Dec 12, 2005 Anonymous Anonymous

Very nice.

Fri, Dec 9, 2005 Cliff H Anonymous

Since MS Anti-spyware was introduced.

Fri, Dec 9, 2005 Cliff H Anonymous

I've used it since MS Anti-spyware as well as all of the other products mentioned in this article. In addition, I run Trend Micro's anti-virus products. the combination of the two has eliminated the need to worry about spyware and viruses.

Wed, Dec 7, 2005 Patty G. Anonymous

Thanks for covering this software program! "5 Star Report"

Wed, Dec 7, 2005 Bill Harris Anonymous

I thought this was well written. I would like to see more articles like this. The statements reflect a wide range of data by the professionals that use this program!

Sun, Dec 4, 2005 Anonymous Anonymous

Who is J. C.? Joanne Cummings or James Clemens?

Sun, Dec 4, 2005 Ashley K. Anonymous

Well written and very informative. I was wondering about this software. Sounds like something my computer needs.

Sat, Dec 3, 2005 Tom P. Anonymous

I was glad to read about this scanner. I was considering trying it - I will download it tonight!

Sat, Dec 3, 2005 Anonymous Anonymous

Excellent story about this soon-to-be excellent security tool!

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.