Just a few months ago Bill Gates declared that Microsoft would do something about the spyware/adware problem. And the company wasted no time. In December it bought Giant Company Software. Giant wasnt an especially well-known company, but its product was well-regarded. Now, just one month later we have a free initial beta version of a Microsoft AntiSpyware product.
For a first beta of a first version of a Microsoft product, its a fabulous product. Of course, that would be a misleading description. Its as good as it is because Microsoft paid for a product with a good deal of development already behind it, and as a result they can go to market with a respectable solution. For now, anyone can download it for free from Microsofts Web site. The company has not said what the eventual pricing or distribution scheme will be, but we have also reported that they are planning a subscription service for updates.
This initial product is a simple repackaging of the Giant client and has no network manageability features that one might expect from a more mature Microsoft product. It does have a very simple installer. The default decisions are generally reasonable, although there are some strange behaviors. First, the program scans the system after the initial installation, but doesnt update itself first, so the initial scan is performed on old definitions.
Along the same lines, the installer defaults to setting the system up to scan at 2 a.m. and update itself at 3 a.m. Clearly, switching these times would be more effective. The scheduler is integrated with the program, not the standard Windows Scheduled Tasks facility, making it harder to tell what conflicts there might be with other tasks. Users also have the option of joining “SpyNet,” which appears to be simply a feature whereby the program reports back to Microsoft what threats it finds on your system.
I tested the MS AntiSpyware beta on three different systems and specifically sought out adware to test with. I had mixed results with both the real-time protection and the static scanner. For instance, I was able to download and install PurityScan, a well-known source of adware, without complaint from the program. Once I ran PurityScan, MS AntiSpyware complained that it attempted to install a Run key in the registry to execute itself at startup and to install a BHO (browser helper object, a plug-in to Internet Explorer). I chose to block both of these attempts.
Next Page: Anti-spyware vs. anti-virus.
Page 2
This exercise demonstrates some of the differences between an anti-spyware product, which focuses on blocking behaviors, and an anti-virus product, which focuses on blocking specific patterns in files. It still would have been better to block it at the download stage. When I ran a new static scan, it found files and registry entries for PurityScan and let me delete them.
PC Magazines review of MS AntiSpyware details more troublesome problems. It fell a clear second place to their current favorite, Webroot SpySweeper, and left behind serious threats that SpySweeper then cleared off.
I had one other problem, a false-positive result. I have one IE Favorites folder containing sports links to sites such as ESPN and MLB.com. MS AntiSpyware tagged all these links (the actual .url files) as “Adultlinks.QBar.” Theres no explanation of this, and I dont believe it, but the description of Adultlinks.QBar is a dire one: “High threat—High risk threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction. May open up communication ports, use polymorphic tactics, stealth installations, and/or anti-spy counter measures. May us[sic] a security flaw in the operating system to gain access to your computer.”
Microsoft actually publishes their criteria for designating a program as a threat in MS AntiSpyware. Many of these criteria correspond to specific “agents” in the program, which are behaviors that MS AntiSpyware is watching for. You can manage and deactivate these specific behaviors.
Giant was probably able to get away with problems that will attract scrutiny in a Microsoft program, so I wouldnt expect this program to keep its reputation under Giant. Its hard to judge anti-spyware products, partly because there are no standard test suites and certifications as there are with anti-virus. But one of the things we needed was for Microsoft to take the problem seriously, so were on the right track now.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
More from Larry Seltzer