Antispyware Shootout

An anonymous reader writes "ZDNet has published a review of 8 antispyware products from Computer Associates, Lavasoft, McAfee, Microsoft, PC Tools, Symantec, Trend Micro and Webroot. Check out the Editor's Choice. Interesting winner ...." I've used quite a number of these scanners on and on & off basis, and I think the reality is that you if you are truly to clean a machine out, you're going to need to use like three - five of these. Each of them captures a certain area, but none are the One Ring or anything.

Were they reviewing Spybot or not?

[xxxJonBoyxxx]

Were they reviewing Spybot or not? I saw mention of it in the results, but I don't think it was on the results chart...

Free solutions

[Anonymous Coward]

It's nice that they acknowledge the existence of free solutions ("freeware" anti-spyware programs), such as (my personal fave) Spybot Search & Destroy [safer-networking.org]. I would feel a whole lot better about this article if it would actually compare these expensive commercial programs to the whole playing field of contenders. Leaving out the least expensive solutions (free ones) leaves this article wanting.

Sony

[kidtwist]

Did any of them find the Sony rootkit?

Re:Prevention or cure?

[ZiakII]

How about not using a hopelessly broken OS in the first place?

How about learning to operate a computer first? Most of these users with spyware problem stem from being computer illiterate. I don't get any spyware on my machine but I don't open anything that says "Click Here for Free Smiles", I use Firefox read the EULAs on anything I install and at least make smart decisions instead of installing anything I see without any problems. You wouldn't go driving a car without some proper maintance or you would have problems, but people don't see it like that, they figure anyting they can do on their machine can be easily fixed by someone for a cheap price or even free if they knew a computer nerd that will fix there computer for them.

Take my brother for example he installs anything he wants on his computer and dosen't care because as soon as I come home to visit my mother guess who is going to format and reinstall the OS again and make everything beter again and this cycle goes on and on.

Re:Why is this necessary?

[Jugalator]

To answer your topic question, it's necessary because Windows users usually run with administrator rights and don't care much for what an installer may do. Think doing the same but in Linux as root.

And then few OS'es out there will help if the user choose to install a spyware infested program and click "Yes" to install the whole thing. I mean, once a user run executable code with admin rights, what can the OS do?

One solution is of course to run in a more protected user mode where you're requested of admin rights when it has to do something to the system, and the upcoming version of Windows will do exactly this, and what *nix desktop managers have had for years.

However, when the user see "This application requires administrator rights", will he/she still just blindly fill in the requested info, click "yes", and get the spyware?

Re:Why is this necessary?

[Maelstrum]

It would be the same way for any other OS if it where the dominate. Linux, etc. would have had the same problem if it had made it to the top of the food chain.

Microsoft is not evil,

[chunews]

.. just misunderstood.

But seriously, spyware has little to do with Microsoft and their shoddy products. MS is definitely to blame for inadequate security, poor mimicry GUI designs, and an attrocious "embrace and extend" attitude towards open standards.

That said, Spyware is more the result of the combination of the insane ROI for spywarers coupled with poor user education. One might argue that Windows allows users to have too many privileges yet this perception only minimally impairs the dedicated keystroke logger.

Fault anyone, fault doubleclick. And the wholly inadequate privacy and confidentiality laws of the US governement.

Re:Why is this necessary?

[naelurec]

One solution is of course to run in a more protected user mode where you're requested of admin rights when it has to do something to the system, and the upcoming version of Windows will do exactly this, and what *nix desktop managers have had for years.

Yah.. BUT even with existing Windows (Windows 2000 and XP), running as an underprivileged user does have many issues. There are still many applications on Windows that do not follow the security policy and attempt to write user data outside of their profile. ie -- try installing an app sometime as a regular user on Windows...

However, when the user see "This application requires administrator rights", will he/she still just blindly fill in the requested info, click "yes", and get the spyware?

Pretty much. This is a HUGE change for a Windows user. I'm guessing most will find this annoying and learn how to switch back to Administrator and not much will be resolved.. especially when their favorite game REQUIRES administrator access to run. blech.

They left out major players

[p3x935]

And where is Sunbelt Software's CounterSpy (both consumer and Enterprise editions) in this round up? They left out major Antispyware applications!

What about performance?

[mcgroarty]

For the client-side antiSpyware solutions, how is the client-side performance? I've seen some very comprehensive virus scanners that also drag performance down into the mud. For example, Symantec severely impacts Metrowerks' compiler and copy times to and from SMB shares. McAffee utterly punishes network performance. cygwin's rsync ran at less than 10% speed when McAffee was installed, and I had to uninstall McAffee to recover speed, I couldn't just turn off network scanning. I'm assuming the antiSpyware programs are similar to antiVirus programs in this regard, as they're basically the same software but with a different database of things to look for.

always in memory

[Fëanáro]

the problem with most of these modern anti-spyware software is all of them want to stay in memory ALL THE TIME. Even worse are Anitvirus tools. I tried once to install several of them to have mre than one on-demand scanner at my disposal, and it was a mess.

Even IF they offer the option to NOT load themselves at each startup, many still do load something anyway. Most dont even ask so that you have to disable 3 different services and 2 startup programs with cryptical names.

Otherwise you end up with all of these tools concurently trying to scan each file access / internet request, registry change etc.
You end up with all sort of interesting and unpredictable side effects, probably offering worse protection than each of them alone.

Most telling part of the article...

[Anonymous Coward]

From the test results page:
Clean machine accuracy and performance testing

        * Accuracy: Only Lavasoft and Spybot Search & Destroy picked up anything when instructed to scan a newly installed and patched version of Microsoft's Windows 2000 Professional. Both reported Alexa (adware) related items. The other seven applications in this test correctly reported no items.

Sorry, but in my opinion, Alexa IS spyware (or can be if you use IE) and spyware detectors should find and at the very least warn you of its presence. From there it's up to the user to decide to keep it or junk it. Just because you have a fresh install from Microsoft doesn't mean it is clean. Microsoft is just as capable as anyone else of bundling crap with their software.

Coral Cache...

[cbiltcliffe]

http://www.zdnet.com.au.nyud.net:8090/reviews/soft ware/security/soa/To_catch_a_spy_Eight_anti_spywar e_tools_reviewed/0,39023452,39225147,00.htm [nyud.net]

Karma whore, I know.....

I don't know why the changeover to CSS didn't include a little modification to the story submission script that automatically updates all story links to use Coral Cache. It really wouldn't be that hard, especially considering all of /. seems to be written in Perl.

Re:Why is this necessary?

[keraneuology]

However, when the user see "This application requires administrator rights", will he/she still just blindly fill in the requested info, click "yes", and get the spyware?

No. The average user will install software only if it involves clicking "Next" "Ok" or "Finish". Any weird questions about administrator rights will spark a call to son/brother/cousin/friend/12 year old who will know the right answers.

Pathetic review!

[OrangeDoor]

They don't mention what they infected the computers with or whether they ran a full scan with ad-aware, which would find more things likely. They also value detection over ability to remove the infection, which is understandable but only mildly forgiveable.

I can understand that they are looking at a corporate environment, but in a corporate environment with 150+ windows 2000 machines you'd think they'd have preventative measures in place and more security. I wouldn't let any user install anything on their machines and require going through IT to do it. Why spend all that money on spyware cleaning tools when it'd be more effective to setup a domain server.

As for the home... in a home or small office environment the computers tend to get so infected that they call when they can't get online, their browser gets hijacked, or windows doesn't boot. Running each and every one of those scans isn't going to fix it or even detect the culprit. It will involve lots of manual work and ingenuity, but in that situation it's faster and and better just to backup and reformat.

It's really not that hard to prevent infections nowadays, just need to be told what not to do. An anti-spyware program that will warn you of changes to startup items or new registry entries will NOT save you though. It might help but if you're doing stuff that constantly pop-ups warnings, it's inevitable you're going to get infected anyway.

It annoys me to no end when they completely neglect prevention and instead go for treating the symptoms. It's irresponsible, it's ineffective, and it's just to sell products. And I'll stop myself from going on a further rant in my first Slashdot response.

Re:Most telling part of the article...

[icydog]

It would be pretty funny if the Alexa crap didn't come with Windows and actually infected the machine before they could run the tests. I don't recall Alexa being installed with Windows when I used Windows 2000.

Re:Why is this necessary?

[Scoth]

In my experiences, when users are presented with something unfamiliar or they don't understand, they just click stuff until it goes away. I'd love it if they put down the mouse and picked up the phone. I can't count the number of times I've gone to a friend's house or taken a tech call and the person says "I don't know what happened, something came up and I clicked it and it went away. I didn't read it".

Re:install an anti virus as well as anti spyware?

[octaene]

Symantec Antivirus 10 [symantec.com] which is coming out soon integrates spyware/adware detection and removal with their standard AV client.

Re:Coral Cache...

[Anonymous Coward]

When I got slashdotted, someone posted a coral cache link (the main content was 5 video files and my server was slow). Others picked up on it and reposted it. Google doesn't equate the two links, so now searches for my stuff are polluted with nyud links... I'd prefer it if only the one version appeared because it's confusing and it dilutes my hard-earned google rank.

Also, not all submissions need coral cache. The two other times I was slashdotted, I didn't have video files and my server worked great (thanks, csoft!)

Re:Why is this necessary?

[Anonymous Coward]

What they mean is, fewer viruses have been written for OSX because there's a lower number of users, and therefore lower "return" from a mass infection.

"Fewer viruses" implies that there exist viruses for Mac OS X, but the number is less than those for Windows. That is incorrect. There is no virus for OS X in the wild. Period.

Maybe "immune" is a wrong word to use because it implies ability to withstand attack from a specific disease when we know that viruses are anything but specific.

As for your argument about lower number of users, yes, it is a factor, but not a sole reason. It's been discussed to death how the security model in OS X is better, thus making it harder to write a virus for it. 5 years of OS X and not a single virus. Quite an accomplishment, I'd say, considering the geeks who want the fame for being the first virus writer to conquer OS X and the number of Mac haters who worship Gates and rage whenever the words "Mac", "Jobs", and "Apple" are uttered.

Re:Free solutions

[Sketch]

I removed Spybot S&D from my gf's XP bo this weekend, after noticing that the last database update was over 6 months old, and it said there were no new database updates.

I see from some of the links in this thread that there are in fact newer updates, but why doesn't the app find them? If I need a newer version to use the newer updates, it ought to tell me, like AdAware and ClamWin...

Re:Free solutions

[SirPavlova]

6. Install Firefox, delete all shortcuts to IE.

I've never been able to do that last bit - I can get rid of every one except the built-in icon on the desktop. You can hide it from the desktop, but if you open My Computer or something & hit backspace, it's displayed in the virtual folder at the top of the Windows directory tree.

Do you know how to turn that off completely? If you could tell me, that'd be great... I have a feeling it can be done but I'm not sure.