First Look At Microsoft Ani-Spyware

Microsoft have released a beta-test version of their new Anti-Spyware program (based on technology they gained during their recent acquisition of Giant Company Software). As a happy little curious bunny, I decided to download it and give it a go on one of the computers laying about at work.

Installation of Anti-Spyware is the typical InstallShield-driven wizard interface.

Anti-Spyware Installation - 'With SpyNet Technology'

Interesting to see that this product comes “with SpyNet technology”. Sounds like a buzzword if ever I heard one.

A progress bar...

Having finished the installation, the “Setup Assistant” launches.

Anti-Spyware Setup Assistant - Introduction'

The setup will be divided into four stages – although, in actual fact, the first three stages consist each of answering one question and the fourth can take a long, long time (scanning the computer for spyware).

Questions first:

Anti-Spyware Setup Assistant - 'Keep Your Computer In The Know''

With inspiring titles like “Keep Your Computer In The Know”, “Meet Your Computer’s New Bodyguards”, and “SpyNet: The Anti-Spyware Community”, one can’t fail to feel safer almost immediately, hmm? I leave everything as the defaults – turned on. Reading it’s description, I’m left wondering what ‘SpyNet’ actually does. Sounds a little like spyware to me. I can only hope it’s not as innefectual as the “submit a bug report” feature already common in Windows.

Anti-Spyware - 'SpyWare Scan''

The setup wizard (which, it turns out, has no presence in the taskbar and can not be alt-tabbed to, which means that I have to minimize my other windows to dig my way back to it) suggests that I run a “SpyWare Scan” now. I don’t have all day, so I select to run “an intelligent quick scan”. It estimates that this will take “less than 2 minutes”. Okay, that sounds fair.

After a quick check of the running processes on the PC, the scan begins looking at the files on the computer. There’s no progress bar, so the only indicator of how far it’s gone is based on which file it’s currently scanning, and my knowledge of the layout and content of this hard disk. 2 minutes later, it’s broken it’s promised, as it doesn’t seem to have made great progress – but it does claim to have detected two pieces of spyware: TightVNC, a piece of computer remote control software I installed a few days back – not spyware – and WinPCap, a set of drivers for capturing network traffic, used by most Windows-based packet sniffers (a network protocol analysis tool) – also not spyware. Hmm.

Confusingly, the scanner at this point claims to have detected 2 infected registry keys, despite also claiming to have not yet scanned any registry keys.

Anti-Spyware - Scanning Registry'

After about 8 minutes, the second part of the scan begins – scanning the system registry. The flickery little animation is changed from little yellow folders to little green building bricks, and the list of infections increases. See below for the complete list of “spyware” that it found.

Finally, after about 13 minutes, the scan is complete (a little longer than the estimated 2 minutes for a ‘quick scan’), and I’m presented with the results:

Anti-Spyware - Spyware Scan Results'

The report detects the following:

  • TightVNC and RealVNC – two remote control programs that “allows full control of the machine it is installed on”. The spyware report kind-of makes it clear that these two “moderate threats” are legitimate remote control software, but that they could be exploited to take control of the computer remotely, by an unseen attacker! Interestingly, it doesn’t detect that I have Remote Desktop, Microsoft’s remote control software, activated. Nor does it detect pcAnywhere, another remote control program I’d put on for the purpose of this scan.
  • WinPCap – this, as mentioned above, is a network capture driver. The spyware scanner lists it as a “low threat”, and points out that while not dangerous in itself, it could be used by a spyware program to capture my network traffic, which is correct. I’m not aware of any spyware that takes advantage of WinPCap, but it’s at least a theoretical possibility, and it’s fair to warn me about it.
  • eDonkey 2000 and Grokster – the program incorrectly detects an installation of eDonkey and Grokster – two file-sharing programs. These are listed as “low” and “medium” threats, respectively, not because they are spyware… but because they are often bundled with spyware (in the latter case, nasty stuff like Cydoor). In actual fact, this computer has Shareaza installed – a free, open-source, spyware-free file-sharing program that is capable of connecting to the eDonkey and Grokster networks.
  • EasySearchBar, a known piece of spyware that sits in Internet Explorer and feeds information about browsing habits back to the makers, and allows pop-up ads to appear. I’m not even sure how that got onto this computer (people shouldn’t be using Internet Explorer here at SmartData at all), but it can be removed using the tool, so I let it go ahead and do so.

Conclusion
Microsoft Anti-Spyware is currently in a very early release and buggy stage. It successfully detected all the spyware that Ad-Aware did (although it doesn’t also pick up on tracking cookies and data miners harboured by IE, as Ad-Aware does). However, it also detected several completely safe pieces of software, which – had I been an amateur user – could have alarmed me into accidentally deleting them. The time estimates given by the program are way-out.

I haven’t tried (to any great level) any of the other tools provided by the program – such as the cache cleaners and the live protectors – however, the live protector that was supposed to “prevent unauthorised programs from editing the hosts file” (a common way for adware programs to take over your internet connection) didn’t work. When I wrote a program to (in a very suspicious manner) add entries to the hosts file, it didn’t even notice, prevent it, or even log that it had occurred.

I am concerned that, if Microsoft do start charging for this product or for updates to it, this could be an opportunity for Microsoft to make money out of a problem that they helped to create. And if they give it away for free, I’m concerned that it will be ineffectual and lull users into a false sense of security (like Microsoft Anti-Virus before it). However, on the up-side, at least Microsoft are beginning to take spyware and adware seriously.

Links

× × × ×

Fnorders Of The Day

Wow. The “Fnorders Of The Day” (the message in the little strip between this site’s title and the posts) for today is “Ignore previous message. The beer bottle manipulates the drunken ski lift. Fnord.” That’s brilliant.

Crosslink: I reimplemented Fnorders many years later.