MS AntiSpyware vs Ad-Aware vs. SpyBot

An anonymous reader writes "Flexbeta.net compares Microsoft's new spyware fighting tool, Windows AntiSpyware, to Ad-Aware and SpyBot S&D; the two leading spyware tools on the market today. The review sets up an infected PC using VMWare Workstation and scans the machine using all three tools to see which tool detects the most spyware. Though still in beta, Microsoft AntiSpyware does an amazing job at detecting spyware by finding twice as many infected files as Ad-Aware and nearly three times as SpyBot."

Re:Wow, is this for real

[Anonymous Coward]

Let's not get too crazy. MS obtained Giant Software and this product was (very recently) Giant Anti-Spyware. It was a good spyware detection product well before MS was involved.

Not a Microsoft Designed Product

[nurb432]

They just bought a company and rebranded..

Wait a few generations, then it will be a 'true' Microsoft Product..

Re:No more spying, please!

[Lindsay Lohan]

Also, I neglected to mention in my previous post...

One factor behind MS AntiSpyware's successful may be the use of quadratic probing [nist.gov] in a secondary clustering to traverse file patterns, which are stored in an acylic graph.

Fleischer and Trippen [cs.ust.hk] elaborate further on this technique in a Java implementation [sourceforge.net], which of course Microsoft did not employ. The rationale, however, is the same.

Re:Twice as much

[Rob Carr]

After a vicious round with spyware, I switched to Firefox and regularly running AdAware and Spybot. Still, I ran the MS program to see what would happen.

Adaware and Spybot report a lot of cookies. MS's program didn't. On the other hand, the AntiSpyware program found stuff the other two didn't. Total "hits" weren't 2-3x, but I've decided to keep AntiSpyware in addition to the other two programs.

Re:Just tried to install this MS AntiSpyware

[Chemical]

You can download without having to validate your license. Just select, the "No, leave me the hell alone" option when downloading.

This isn't really MS antispyware

[mutilated_cattle]

MS just bought giant AS and rebranded their product as Microsoft. As far as I can tell there's very little change to the program itself beyond the branding.

Giant has always been among the top antispyware products, as evidenced by Failing Grades for most anti-spyware tools [slashdot.org] so this "MS should know their own security holes better than anyone" stuff isn't strictly relevant. I think MS should foucus more on fixing the secuity problems in IE that are responsible for 90%+ of spyware infections rather than sticking plaster over the holes by buying up anti-spyware solutions. Is this even going to be free when it's released?

Personally I prefer webroot spysweeper anyway, Giant has always generated too many false positives for me.

Re:Thats beacuse SpyBot stoped updating

[Anonymous Coward]

dont be such a noob dude, last update was 6 days ago.

Re:But MS Anti Spyware doesn't detect itself.

[afd8856]

When downloading, they want me to check if the windows I'm using is legit. Wouldn't you call this spying on my affairs?

(I already know about the link to the direct download)

Re:Why would this be a surprise?

[myowntrueself]

"Now, MS were naive to think that no-one would ever exploit that feature maliciously"

At least in the beginning they took measures to stop it; the original outlook couldn't even receive pop or imap email and hence the only incoming email was supposed to be from the corporate Exchange server.

It was only later, when the internet became popular, that, uh, by popular demand they produced add-on packs for exchange with which you could use pop, smtp and imap.

Then the email viruses began to take advantage...

I reckon that they should now go the other way around; produce a special add-on pack for the VB scripting and just leave it right out of the default install.

Re:MS = the Mob

[Foolhardy]

Have you looked at Process Explorer [sysinternals.com]? It's a task manager type progam that provides tons of extra information: for each process you can see its parent, the startup options, a list of every kernel handle it has open, every library it has loaded, a cpu and memory usage graph, a list of threads with stack and status for each, what services (if any) are running inside it (for the svchosts mainly), what sockets are open, environment variable information, image strings and more. Lots of other tools at sysinternals.com too.

Re:Finding more isn't necessarily good

[siliconjunkie]

It really depends on where you work. AdAware and Spybot S&D are two applications that work well and have a proven track record of being legitimate tools to combat spyware/adware/malware. Unfortunately, there are many more applications out there [spywarewarrior.com] that are either (A) blatant rip-offs of these two legit programs, (B) Spyware disguised as anti-spyware or (C) BOTH.

This is not to say that there are not other legitimate programs out there, but sadly, if it's not on the short list of proven applications [spywarewarrior.com] it should be scrutinized before it is endorsed.

Weird Page to Link To?

[milletre]

Is it me, or is the link to the Microsoft Anti-Spyware fishy? I got all sorts of security warnings from Firefox, and it comes up as an https:// page.

But if I go there from the Microsoft home page proper, it's a non-secure URL.

wtf?

False positives..

[wfberg]

Among the things MS Anti-Spyware found on my system (which is actually well-maintained, so perhaps not the best test-bed) none was a real hit, they were all false positives.

It even managed to warn against registry settings put in place by SpyBot to ensure a malicious site runs in internet explorer's restricted zone!

Also, it reported with glee that TightVNC is a dangerous hacking tool. I happen to use it to help out people, exactly the kind of people who are likely to remove it if AntiSpyware complains about it (e.g. my mom).

Then a load of DLLs that are actually dummy DLLs shipped with the "lite" version of a (once upon a time) popular ad/spyware ridden app - again, it's detecting its competition!

And then there are the residual files/empty directories/registry settings that adaware/spybot didn't remove some months ago when I tried an app that came with ad/spyware. No active components at all.

Another thing I don't like about it is that it's user interface doesn't scale properly when you've adjusted your DPI settings.

Also, its on-access scanner (for want of a better word) comes with an enormous performance hit, and is mostly concerned with Internet Explorer hacks. Those are a minor concern for me since I use firefox, and besides, Microsoft should fix IE, not ship cycle/ramhungy monitoring applications for it (though that's hardly GIANT's fault).

In other words, I'm underwhelmed.

Re:Wow, is this for real

[Rasta Prefect]

I've noticed adaware often does this. It says there are 300 infections, but only 3 of them are program executables and only 1 is running. Many of them are cookies, so I suppose those could count individually, but seperate dlls for the 3 programs it found should not be counted as seperate infections.

Usually they do show what each file belongs to as well, so you can see roughly how many products they're removing. The number of files removed _is_ relavent however - many spyware programs tend to make multiple copies of themselves that'll happily restore each other when one is removed.

Re:Wow, is this for real

[afabbro]

Did not do either of these things to me, on three different PCs.

Re:Not a Microsoft Designed Product

[jdhawke]

Also the default installs of TightVNC, RealVNC and winpcap are flagged as spyware. As if only crackers use these items for anything and no respectable user would.

Re:For fairness...

[brianiac]

When I ran it, I got three "infected files": one was a trusted sites entry, one was the Lernout & Hauspie Text-to-Speech Engine I had downloaded from Microsoft's site, and one was instsrv from Microsoft's Resource Kit. So, in addition to being able to double-count (or more) infections "per file", the Microsoft tool also tends to find false positives.

Re:Twice as much

[damiam]

Some of what it detects are definitely false positives. On my machine, it claimed to find registry traces of eDonkey and Grokster, which it says contain adware. But the keys it found were put there by Shareaza, a non-spyware open-source client.

Re:False positives..

[Warskull]

I got a similar result here, it turned up all false positives. I heard a lot of people claim Giant Anti-Spyware is the best, but from what I can tell Spybot search and destroy is still by far the best with a bit of back-up from lavasoft's ad-aware. So what this means is people are fine just running spybot and ad-aware. This microsoft rebranding of Giant looks to be the super paranoid version of anti-spyware. Not only does it mark spyware, but it also marks programs that install spyware, and marks programs similar to those that install spyware. I think any peer to peer application they know about is included as spyware. While this could be good for the lay user, it seems anyone with a remote knowledge of computers is better off using other programs. One big thing this has that others don't is the descriptions (pretty good) of the spyware. Maybe some uninformed people running this will read some of those descriptions and hopefully become more aware of why they don't want spyware.

Re:Twice as much

[ZeroExistenZ]

I second that.

Serv-U FTP Server is appearantly a "Trojan FTP", default action is to "quarantine" in MS's view.

Re:Wow, is this for real

[shaitand]

Don't confuse the issue, 95% of the users didn't use IE because it was good, they used it because it was good enough and bundled with the OS. You act as if the two things are seperate ;)

Netscape was always technically superior to IE.

Re:Wow, is this for real

[Zeinfeld]

Actually there is a huge problem with anti-spyware deleting anti-spyware. The problem is that the anti-spyware ends up looking very much like spyware as far as heuristic checks go. So for example it tries to resist being clobbered by the spyware, it scans the disk, it hooks into similar entry points.

The same problem happens with legislation. The Bono anti-spyware bill as currently drafted would make most of the anti-spyware programs illegal. its not intentional, its just bad drafting. The problem is that what is spyware is at some level a consent issue and so drafting is horribly difficult.

Umm... don't think so...

[borg1238]

Sorry, didn't do this to me either. Homepage on IE is still google, and the hosts file appears to have been left alone.

So all I have to to is make an unsubstantiated post about a M$ program doing evil things to my machine and I get modded up? Oh yeah... this is Slashdot.

Re:Wow, is this for real

[DaFallus]

said no to all the "Do you want me to be intrusive and make all your decisions for you?" typical Microsoft crap (didn't matter, it loaded itself anyway)

Actually, in the original version of Giant's Antispyware, this is a default feature. The majority of Microsoft's beta version looks and acts almost exactly like Giant's latest version before they were bought out. I'd say that so far 99% of the code has been left untouched. However, Microsoft did remove the innoculate option from the Advanced Options menu.

Re:Twice as much

[CritterNYC]

Some of what it detects are definitely false positives. On my machine, it claimed to find registry traces of eDonkey and Grokster, which it says contain adware. But the keys it found were put there by Shareaza, a non-spyware open-source client.

Yeah, it wanted to kill off pieces of eMule, Shareaza and Unreal Tournament 2004 on my box.

Re:Wow, is this for real

[fm6]

What I would like to know is, is the Microsoft version finding the same spyware in diffrent locations or finding diffrent types of spyware in the same locations? The reason I bring this up is for Microsoft to beat evreyone else by a factor of two just doesn't sound right. Not that it can't be done just that is was done.

I'd already cleaned off the exisitng spyware using Ad-Aware and Spybot. So this was new stuff.

It shouldn't suprise anybody that Spybot and AdAware miss a lot of stuff. There's a lot of crap out there -- I've heard reports of people having thousands of infections. The big problem is keeping those databases up to date. Since Spybot is basically some guy's hobby, and Lavasoft has never put a lot of effort into maintaining AdAware (a product that was given to them by its original author, on the condition that they always provide a free version), naturally their databases have lagged. It was inevitable that somebody with deep pockets would invest the time and money to do a better job.

Re:VX2 Kicks Anti-SpyWare Ass :(

[detlev409]

I've had some success with the new updates for adaware. I've had rather underwhelming results from the VX2 plugin, but a fully updated adaware installed has removed VX2 on a number of machines in the last few days. I can't specify what strain of VX2 was had in all cases, though, so take it for what it's worth.