[Donna]

Anti-spyware program that blocks installation of known spyware/adware

Quote

It is recommended to enable real-time protection of the security tools (e.g. anti-virus, firewall, anti-trojan, anti-spyware, anti-malicious scripts etcetera) to prevent known installation unwanted programs (virus, trojans, worms and spyware - usually legit and harmless application but coded with spyware or aggressive ads).

Are you sure that your anti-spyware program will really prevent installation of known spyware?

I tested Javacool's SpywareGuard, Spybot Search and Destroy's TeaTimer and SDHelper , Microsoft's AntiSpyware (Beta) , eTrust's PestPatrol, Webroot's Spy Sweeper and Tenebril's SpyCatcher. All these anti-spyware programs offer real-time protection. To test the protection of these anti-spyware programs, I downloaded a toolbar called Hotbar. Hotbar is known as adware by Symantec, Spybot S&D, Computer Associates, Tenebril.

• Test 1: Using Javacool’s SpywareGuard
  
  As soon as I click “download” button in Hotbar website, SpywareGuard’s real-time protection kicks-in:
  
  
  
  
  
  
  
  
  
• Test 2: Using eTrust's PestPatrol
  
  While installing Hotbar toolbar, eTrust's PestPatrol active protection, kicks-in:
  
  
  
  
  
  
  
  
  
• Test 3: Using Webroot's Spy Sweeper
  
  While installing Hotbar toolbar, Webroot's Spy Sweeper Spy Installation Shield, kicks-in [prompting me to run a full sweep (scan)] then its Memory Shield kicks-in too:
  
  
  
  
  
  
  
  
  
  
  
  
  
• Test 4: Using Tenebril’s SpyCatcher
  
  While installing Hotbar toolbar, Tenebril SpyCatcher’s Protector kicks-in:
  
  
  
  
  
  
  
  
  
• Test 5: Using Microsoft’s Anti-Spyware (Beta)
  
  While installing Hotbar toolbar, Microsoft's Anti-Spyware Application Agent kicks-in:
  
  

The test results show

• SpywareGuard will save the PC and time of users because if the installer is known as spyware or bundled with spyware and aggressive adware, user is alerted when you try to DOWNLOAD.
  
  
  
  
• eTrust's PestPatrol, Webroot's Spy Sweeper, Tenebril’s SpyCatcher did their job, also. Their anti-spyware’s real-time protection quickly alerts the user while the user is in the process of installing the said application that is known spyware or adware.
  
  
  
  
• Spybot Search and Destroy's SDHelper and TeaTimer did nothing in real-time while attempting to install Hotbar. The antispyware scanner did, however, detect 138 entries to be removed and were flagged as “red” .
  
  
  
  
• Microsoft's AntiSpyware (Beta) did not alert me that Hotbar is known as spyware or adware. Window's AntiSpware Application agent informed me that hotbar and Smartshopper are being added in Internet Explorer toolbar/browser’s bar. This should allow the user to decide whether to allow or not the installation and quickly run a full system scan using another antispyware program because the user is trying to install Hotbar only but a Smartshopper is also being installed. Note: Use another antispyware program to scan for spyware/adware if Hotbar is installed because it is known already that Windows AntiSpyware does not detect Hotbar.

Suggestion: Use more than one antispyware scanner to scan the system regularly for known spyware or aggressive adware program. Enable one real-time protection by your antispyware program. A good real-time protector is one that works like Webroot's Spy Sweeper, Tenebril's SpyCatcher, eTrust's PestPatrol and Javacool's SpywareGuard.
There are other antispyware programs that offer real-time protection against known spyware. You might want to test their real-time protection by installing a known spyware in a test machine and see how it works.

http://dozleng.com/i...tsecurity/?p=47

Kindly view our Disclaimer on Product Reviews and Research

[Haroldo]

Donna,
You did a great job!
Your research helps us all tremendously, since, the average person may not be aware of the different response capabilities.
A few questions, however:

• You suggest only one real time protector. What if one company rates a threat differently from another. Recently, AdAware (if I am not mistaken) recieved negative publicity by judging a product not adware. What if our protector makes an error in judgement? Would you advocate a second protector to cover those situations?
  
• How much 'agreement' is there in the world of spyware definitions? Will all the major products deem the same parasite similarly, or will some call it adware while others may not. An example is Tenebril's (false positive) on Quicktime Installer. True, a false positive can be corrected, but what about differences in philosophy? Do all protectors share their databases or are they independently created? If the later, what about the time lag between one's detection (and creation of the update) and another company's detection?
  
• What do you do in your spare time, if you have any? You seem to be one of the hardest people on the internet. Or are there a few people who do the work and they all publish under your name?

[TeMerc]

Nice work Donna indeed.

One thing tho, very few security folks in the forums recommend only one 'real time' preventavite app. Most will tell you there is rarely any conflict, I know from my own experiences, having been running Adwatch, SpySweeper, and TeaTimer with no troubles at all. Granted, not sure about some other combos, but this one works just fine.

Haraldo, there is some 'agreement' with regards to each app finding the same things, tho, some will find only specific variants of certain apps, there can be so many, in some cases, the vendor elects to detect the most prevailant it seems. Most are indeed created independantly, tho, there are many databases out there for sale, but those would only be bought by unscrupulous, lazy developers in my opinon. A truely dedicated developer would work up his own database on his own research.

Updates are also another thing that each seems to ahve a slightly different pattern. Webroot seems to update at least once a week, in many cases 2-3 times per. Adaware is typically about 2-3 weeks, and Spybot slightly longer.

And I too, wonder, how Donna gets all this stuff done. She needs to change her nic to SuperDonna.

[Donna]

Quote

You suggest only one real time protector. What if one company rates a threat differently from another. Recently, AdAware (if I am not mistaken) recieved negative publicity by judging a product not adware. What if our protector makes an error in judgement? Would you advocate a second protector to cover those situations?

I suggested enabling 1 real time protection only to avoid huge memory usage only. I would push to a user to enable more than 1 real time protection if the user's PC has enough memory to handle additional processes, tasks and services. Unlike antivirus application that automatically delete malicious behavior (worms, trojans or virus), Antispyware do not automatically delete a detected or known spyware/adware. The antispyware will only alert/warn the user. It is recommended to install 1 real time protection by most antispyware vendors to have a stable system.

For users who prefer to enable 1 real time protection by antispyware application, scan regularly using another antispyware program. This will allow a user to know whether their preferred real time antispyware protector did not miss any.

Quote

How much 'agreement' is there in the world of spyware definitions? Will all the major products deem the same parasite similarly, or will some call it adware while others may not. An example is Tenebril's (false positive) on Quicktime Installer. True, a false positive can be corrected, but what about differences in philosophy? Do all protectors share their databases or are they independently created? If the later, what about the time lag between one's detection (and creation of the update) and another company's detection?

This is why I hope to see a CENTRALIZED SPYWARE REPORT SYSTEM - a system that will fairly check the definitions or detections by security vendors and reports by consumers. If such system is available, there is maybe a chance to avoid false detection. Most security vendors offers "reporting tool" (e.g. Spynet by Microsoft, Prevelance Research by eTrust) that will analyze the submissions by users but it is not centralized. They analyze themselves and based the detections on their own guideline before they will flag it as spyware or not.

Quote

What do you do in your spare time, if you have any? You seem to be one of the hardest people on the internet. Or are there a few people who do the work and they all publish under your name?

LOL
I eat, sleep, read and watch scary videos/books!
I have proofreader and you know who it is!
He'll be paid with many many CoUdos!

[hewee]

Very nice testing work work you did there Donna.

Now did you do these with IE, Netscape, Firefox or because I know some of the programs seen to look more at IE and what happens.

[socratia]

Thank you Donna for you informative article and the work you did!

[jakebarnes]

Donna - Hotbar is included in Spybot's HOSTS file ... wonder what would have happened if you had included/appended this HOSTS file to your test system before you attempted to download the program/malware?

[Donna]

TeMerc said:

One thing tho, very few security folks in the forums recommend only one 'real time' preventavite app. Most will tell you there is rarely any conflict, I know from my own experiences, having been running Adwatch, SpySweeper, and TeaTimer with no troubles at all. Granted, not sure about some other combos, but this one works just fine.

I myself is using real-time protection of MS Windows AntiSpyware, TeaTimer & SDHelper, Spy Sweeper, SpyCatcher, PestPatrol and now recently added McAfee AntiSpyware but I opt not to recommend to users to enable all protection by all anti-spyware program for system stability.

Most of the real time protection by these programs will really use huge memory causing slow PC while browsing and a bit freezes when another program is opened.

Definitely no conflict in enabling the real time protection by antispyware program for the reason I mentioned earlier (they don't auto delete detected items or don't auto-quarantine). However there will be huge memory usage if.. for example, they will enable 5 real-time protection. Unless they are using more than 512MB of RAM and they will configure each application not to do more task other than "monitor".

hewee said:

Now did you do these with IE, Netscape, Firefox or QUESTION.GIF because I know some of the programs seen to look more at IE and what happens.

With IE as default browser because the protection offered by most antispyware is for IE and most users are using IE as default.

jakebarnes said:

Donna - Hotbar is included in Spybot's HOSTS file ... wonder what would have happened if you had included/appended this HOSTS file to your test system before you attempted to download the program/malware?

I will not be able to proceed in testing the real-time protection of AntiSpyware if I will enable any 3rd party HOSTS file because the connection will be refused.
Most users don't use 3rd party HOSTS file or IE-SPYADS of Eric L. Howes and let's hope they will learn how to add it as additional protection.

[hewee]

Thanks Donna

[johngalt]

Nice. Good work Donna.

I read on Vital Security a thread on how to use VMWare to create a test environment inside your regular environment that you can use to infect and re-infect, etc, and which will also allow you to revert the install back to the way it was before.

the thread mentioned a trial version of it - I am going to see more about it.

[Donna]

Quote

I read on Vital Security a thread on how to use VMWare to create a test environment inside your regular environment that you can use to infect and re-infect, etc, and which will also allow you to revert the install back to the way it was before.

I'm using similar product. It's Microsoft's Virtual PC 2004 http://www.microsoft...pc/default.mspx
Haven't try VMWare. Looking at the specs now

[johngalt]

lol I was planning on taking a look at M$ Virtual PC soon too

[2harts4ever]

Morning Donna,

Super job in both the testing phase and then explaining the results too.

You have written about the results of your testing in such a way that even a 'newbie' like myself can understand it.

Well done!

Thanks and regards,

2harts4ever

[TeMerc]

Donna, excellent work!!!

I have pinned a link to this thread, along with this realtime protection comparison which you(?) also created. They are in my Countermeasures Discussion forum.

Very well done both of them.

[Donna]

BIG Thanks TeMerc

[Haroldo]

Important, please see Microsoft AntiSpyware 'now' detects Hotbar

[Haroldo]

I hate to throw a wet blanket over this hug-feast, but what can one conclude from this test?
Yes, some products did well, while other failed against Hotbar, but what does that mean?

Quote

Does success against Hotbar imply protection against

• All
  
  
• Most
  
  
• Some
  
  
• None of the above

other parasites?

Maybe TeaTimer kicks butt against, say 180Solutions and Microsoft AntiSpyware (MSAS) fails miserably?
Shouldn't this issue be extrapolated to see if there is a trend, or should we make assumptions based upon one test?

[hewee]

Like to see what is running and when then look at Process Explore.
http://www.sysintern...ssExplorer.html

No install is needed.
Under the CPU column it will show the CPU % that a program is using. So will not show and % and others will only show the % of CPU on and off as it does it's scan or real time scaning.
This you can use to see what is doing what and when or how offen it is doing something in the background.
You can then look at the CPU graph option in it's own window or look at it at the top of the wondow like you see here and has you move you mouse across it it will tell you want was doing what at what time and the CPU it uses.
Your see I got a screen shot of WinPatrol. Note I have turned off the real time scans the new version does so that may be why you do not see it running in the CPU column with a CPU % showing up. But you do see the CPU in the CPU graph.
Other scan will show a CPU show up under other Programs for just a second too.

So if you want more info on what is doing what and see how thins are also doing there scans then check it out.
It is FREE and no install is needed so just unzip it to it's own folder.

[Hardhead]

hewee, on Jun 29 2005, 02:18 PM, said:

Like to see what is running and when then look at Process Explore.
http://www.sysintern...ssExplorer.html

No install is needed.
Under the CPU column it will show the CPU % that a program is using. So will not show and % and others will only show the % of CPU on and off as it does it's scan or real time scaning.
This you can use to see what is doing what and when or how offen it is doing something in the background.
You can then look at the CPU graph option in it's own window or look at it at the top of the wondow like you see here and has you move you mouse across it it will tell you want was doing what at what time and the CPU it uses.
Your see I got a screen shot of WinPatrol. Note I have turned off the real time scans the new version does so that may be why you do not see it running in the CPU column  with a CPU % showing up. But you do see the CPU in the CPU graph.
Other scan will show a CPU show up under other Programs for just a second too.

So if you want more info on what is doing what and see how thins are also doing there scans then check it out.
It is FREE and no install is needed so just unzip it to it's own folder.

<{POST_SNAPBACK}>

ProcessExplorer rocks hewee.
Ive been using it for quite some time.

[hewee]

Hardhead,
Yea it is a cool program to have.