Antispyware Shootout

An anonymous reader writes "ZDNet has published a review of 8 antispyware products from Computer Associates, Lavasoft, McAfee, Microsoft, PC Tools, Symantec, Trend Micro and Webroot. Check out the Editor's Choice. Interesting winner ...." I've used quite a number of these scanners on and on & off basis, and I think the reality is that you if you are truly to clean a machine out, you're going to need to use like three - five of these. Each of them captures a certain area, but none are the One Ring or anything.

Spyware Warrior

[popechunk]

This [spywarewarrior.com] might be a little out of date, but it's still my favorite review site. It talked me into paying for Giant right before MS bought it, which is too bad, because it was the best one I'd ever used.

Enterprise vs. Personal Use

[mencik]

Note that the test was for enterprise versions of the products, meant for support of a 150 or so user network. Your mileage may vary if a test is done for single computer home use.

Summary

[Big Nothing]

For those of you who are too lazy or otherwise unable to reach the article (which in a matter of minutes should be just about EVERYONE), here's the summary:

Scenario 1: This larger (over 150 users) company is seeking dedicated anti-spyware. It needs a solution that can detect and clean up a range of malware on its machines.
Winner 1: Computer Associates eTrust Pest Patrol and Symantec Client Security. Once a network goes above 150 nodes the case for centralised management command and control capabilities becomes more important. CA wins here for its performance and ease of management, and Symantec for its accuracy.

Scenario 2: This smaller (less than 150 users) company is seeking dedicated anti-spyware. It is seeking a solution that can detect and clean up a range of malware on its machines.
Winner 2: PC Tools Spyware Doctor 3.0 for its ease of use, accuracy, and performance.

Editor's Choice: Symantec Client Security 3.0
It was neck and neck for the Editor's Choice Award between CA and Symantec. Had CA or even PC Tools detected more (they were both above average), they could have won, however, Symantec blitzed the field in detection which is really what you want. Note that this is at a trade-off to performance, and bear in mind that Symantec also includes antivirus, so your decision may come down to what virus scanning policy and system your business is already using.

this all getting to be too much

[caffeinemessiah]

Whats going to be left of your CPU if you're running a bunch of anti-spy/virus/blaaaah scanners, auto-updaters and registry watchers? Have we all forgotten whitelist-based approaches? IMO, the best way to go is to DeepFreeze your system drive, unfreezing it for updates and installing new software (uninfected software of course). Then have a couple of data partitions that are not frozen. Run Firefox in ultra-restricted mode for everything but the sites you know are safe. Why is this so hard? The other approach would be to get AV makers to include spyware features in their software so that you don't have to clutter up your process space with extra protection.

Re:Spyware Warrior

[Mitchell Mebane]

Well, then you'll be happy to know Microsoft wasn't the only one who got Giant code. Sunbelt produces CounterSpy [sunbelt-software.com], also based off of Giant, and they seem to have a tougher stance on spyware than MS does.

I've chosen Hitman Pro

[Laurentiu]

... which can be found at http://www.hitmanpro.nl/ [hitmanpro.nl]

Hitman Pro is a meta-tool, an aggregate of 10 antispyware tools that automagically downloads and runs these tools with as little fuss as possible. Unfortunately the whole page is in Dutch, but the Download button is quite visible, and the software itself may be run with an English interface (self-explanatory).

A (rather outdated) manual can be found at http://xthost.info/hitmanual/ [xthost.info]. Enjoy!

Personally...

[Capeman]

...I use Lavasoft's Ad-Aware SE Professional [lavasoftusa.com] in combination with Spybot - Search & Destroy [safer-networking.org], they keep my PC spyware free.

Re:Free solutions

[lowrydr310]

I have a formula that works farily well to combat spyware/adware, successfully removing existing spyware and preventing the system from getting new spyware.

1. Kill all unfamiliar windows processes
2. Remove anything strange from the 'startup' folder
3. Go to "add/remove programs" and try to remove anything you don't need
4. Run Spybot S&D (my personal favorite too)
5. Run HijackThis (another excellent FREE tool for getting rid of browser helpers and other search redirection 'utilities', though it's not for the novice user)
6. Install Firefox, delete all shortcuts to IE.

I've done this to several computer-illiterate friends' and family computers, and they've been working spyware-free for quite some time. I ran into one really nasty search redirection on my brother's computer that the above steps didn't fix. It involved IE calling one specific DLL for a search, and it would reappear as another name if I tried to delete it. Somehow, it was running as a disguised Windows 2000 system process that I simply had to turn off which allowed me to manually delete all associated files.

Re:Enough power

[afabbro]

Next, if you really are that desperate for free programs, movies, porn, then get a seperate box for the P2P software

Or VMWare. eMule runs nicely in VMWare. Create a master copy, clone it, and run eMule/BitTorrent/whatever on the clone. If the clone becomes fouled, delete it and reclone.

In my experience, serious P2P does not play well with other apps - it needs a dedicated box. It sucks up the network stack something foul (run eMule for a few days and then see how long netstat takes). However, if you have the RAM, you can run it in VMWare in the background quite nicely...I've had eMule charging away while playing F.E.A.R. with no noticeable performance hit to either (3Ghz HT, 2GB RAM).

Of course, if there was eMule for Linux...(no, don't tell me about amule...)

Re:Were they reviewing Spybot or not?

[killmenow]

Click the "Print Article" button on the first page and it will present the entire article to you in one long HTML page.

Re:Why is this necessary?

[Jugalator]

Yah.. BUT even with existing Windows (Windows 2000 and XP), running as an underprivileged user does have many issues. There are still many applications on Windows that do not follow the security policy and attempt to write user data outside of their profile. ie -- try installing an app sometime as a regular user on Windows...

Yep, I agree this is clearly a problem on Windows, and probably a big reason things look like they do today with spyware. However, one has to wonder whether it's Microsoft's fault or not. There are the "current user" registry hive, there are the user profile (a la *nix "home directory") directory... It's maybe mostly because of Windows' poor heritage with lousy security mechanisms that have made developers sloppy. I.e. "we develop like for Windows 95 and it has worked for Admins for a decade, so lets ignore those 'other' accounts".

Re:Free solutions

[Cunjo]

I worked at a computer repair shop at one point, and my SOP is very similar, although I typically run HijackThis earlier in the process (Before removing programs), and I include - if necessary - some passes with other programs.

Worst-case Scenario:
1) Kill all unecessary processes manually (if able)
2) Run MSCONFIG and disable unecessary startup processes (if able)
3) Run Spybot S&D [safer-networking.org] (if able)
4) Run HijackThis [spywareinfo.com]
5) Install Avast! AV [avast.com] and updates, and schedule a boot-time scan (if able)
6) Uninstall/manually remove unecessary applications
7) Reboot
8) Repeat all setps 1-6 which did not work the first time
9) Run Spybot S&D (again)
10) Install and configure Firefox [getfirefox.com] with Adblock extension.
11) Install and configure SpywareBlaster [javacoolsoftware.com]
12) Lock Down IE
13) Reboot
14) Manually clean up any remnants with the help of HijackThis
15) Install and configure Kerio PF [kerio.com]

It takes longer than is typically necessary of a simple cleanup, but so far I haven't run into anything that couldn't be fixed in such a manner. Most importantly however, it doesn't cost a dime. I keep both a USB flash drive and a CD on hand with all of the programs and updates I need as well as some other fallback programs (some pre-installed directly on the CD/flash drive), so if the infected machine is unable to connect for downloads/updates it won't slow me down. It also helps that IE is not needed when loading everything from the CD or flash drive.

Of all the machines I have used this on, only those of the incedibly stupid have had problems resurface, while most have run clean for a year or more. I use the same preventative measures on my own PC and have never picked up any spyware/malware.

Re:Coral Cache...

[mfreed]

Coral synthesizes robots.txt files to disable search-engine caching.

Requests for anything.nyud.net:8090/robots.txt returns:

    User-Agent: * Disallow: /

I'm not sure what might be going on with Google.

Re:Free solutions

[Brataccas]

Been awhile since I've done this, but have you tried going to Add/Remove programs under Control Panel, selecting "Set Program Access and Defaults", and then unchecking "Enable access to this program" next to Internet Explorer? Alternatively, you could try removing Internet Explorer via the Add/Remove Windows Components tab in Add/Remove programs. Yes, yes, it doesn't REALLY remove it from the computer, but it usually hides it well enough. This is all assuming you are running WinXP...

Re:What is spyware ?

[NereusRen]

While the Linux "invulnerability" does tend to get overstated here on Slashdot, some of your points are incorrect. There really are inherent benefits to the Linux security model. I'll respond to a few parts of your post specifically:

The vector of attack for spyware/adware is through the uneducated/uninterested user downloading his latest fun program.

Unless it installs itself automatically through an ActiveX or a hole in IE, which many of them do. Certainly not all, and maybe not even a majority, but a significant number.

Therefore if you install it as the user, it will still be able to show ads, replace your mozilla start page, do popups, etc. The only difference is that it will be per-user rather than machine-wide. For most people that wouldn't matter as they are a single user on that machine and the difference between having it be user-process or admin-process really isn't large.

Except it becomes extremely easy to remove in comparison. "A tad simpler" doesn't begin to cover it:

• If you become unable to safely boot as that user because it hijacks your startup and prevents its removal, you can boot into root or single-user mode (safety command-line) to remove it. Windows no longer has a backup command-line that avoids loading the graphical environment, although safe mode sometimes functions as an equivalent.
• Linux doesn't have the Windows habit of locking down in-use libraries and executables, so you can actually delete the files to get rid of it without jumping through as many hoops.
• User processes do not have the same permissions for listening on certain ports, inserting themselves into necessary system libraries, or hiding themselves rootkit style.
• If all else fails, it is easy to wipe a user-profile and make a new uncontaminated one. If the spyware was confined properly to that user's home folder, it won't infect the other user accounts of that computer as well.

As you mention, there is the potential for local root exploits (or local password-sniffing or -phishing), but it is easier for Joe User to keep his box updated with apt-get or the equivalent than to accurately judge whether each random game he downloads is legitimate or not.

I'm not pretending that Linux is immune, because as you say, users will download Weatherbug and enter their password without a second thought, if the pop-up box tells them they need to do that for the intallation. However, you can tell someone "don't enter your password except in apt [or equivalent]" and they will be pretty well protected on Linux, even if they have to give up a few badly-behaved 3rd party apps which won't install in user mode. There is no equivalent advice for Windows users.

Simpler solution for no spyware on Windows

[Derf_X]

All you need to clean your computer from spyware is a few tools:
-Process Explorer [sysinternals.com]
-Startup Control Panel [mlin.net]
-Startup Monitor [mlin.net]

And of course surf the web with Firefox or Opera.

Re:Why is this necessary?

[Fortran IV]

Susan Bradley, a Microsoft MVP, has created a "Hall of Shame" [threatcode.com] for Windows-based software that requires Admin/Power User privilege to run, or that has other serious security flaws. The list is still short (and sort of disorganized), but she's trying. A good many big-name vendors are on her list (and she's not afraid to add Microsoft products).

Nominate your favorite offenders! Tell your friends! If Threatcode.com catches on (she's a server guru, so maybe she can survive a slashdotting), maybe at least a few companies will respond to the bad publicity.

I know, I've got a Pollyanna attitude, but I keep hoping...