Anti-Spyware… Isn’t.

Microsoft just released a beta application for Windows to locate, disable, and eliminate spyware. The application is beta so I wasn’t expecting a great deal. I was impressed, though, with its integration with Windows’s update, clean and simple UI, advanced tools for browsing helper objects and resident programs, and, its TSR agents, designed to monitor three areas of potential infiltration.

A few hours, though, proved that glitz and good design doesn’t a solution make. I was running three other applications on the box to find the malicious code – SpyBlaster, SpyBot, and SpyDoctor – each one was identifying completely different areas of infiltration. One would catch a bug while another would say the computer was clean, even with updated definitions. I moved in and out of safe mode, attempting to track down and erase the offending registry entries, programs, and settings that kept bringing the crap back to the machine. And every time, the Microsoft anti-spyware solution would report that the system was clean.

Heck, what were those real-time agents doing? Apparently not stopping the spyware. Once, a toolbar attempted to self-install and the agent asked if I wanted the toolbar to install; it’s this obtrusive red dialog that pops up above the system tray – believe it or not, there’s not a “DOH!” option to prevent the application from answering such an obvious question. Of course not! I mean, that is why I’m running the application. So I answered NO. The agent reported that it erased the infection only to find that it had actually installed, created directories on the primary volume, and placed its executables in the windows\system32 directory. I suppose I didn’t answer the question fast enough.

Fact is, I’ve found that no single application mitigates or reduces spyware. Each application’s definitions seemingly understand different levels of threats. Only a good reformat seems to solve the problem, and as for my client, after the reformat, I set the browser’s privacy and security settings on high, re-enabled the native firewall, refreshed Norton’s definition file, and offered a bit of advice:

1. I demonstrated the difference between a dialog generated by Windows versus a dialog generated by a browser. The browser-based dialog is encapsulated in Windows Exporer and looks different from a normal operating system response.

2. If the browser-based dailog asks a question, always opt for cancel or NO. Do not accept certificates unless you trust the source.

3. Do not install any 3rd party toolbars or search assistants. They are more trouble than they’re worth and open holes into your system that invite other applications to install.

4. Try not to download anything from the Internet whose author your not familiar with. Spyware is being circulated in applications now. Removing the application doesn’t remove the spyware.

And finally, I advised that he download the Microsoft’s Anti-Spyware tool. It’s not much, but it’s something – at least some layer between you and the bad guys.

Russell Mickler, CISSP/MCSE

Principal, Mickler & Associates

www.micklerandassociates.com

© 2003,2004. All Rights Reserved.

None of this material can be copied or used without express permission from the author.

Name (required)

Mail (will not be published) (required)

Website

Notify me of follow-up comments by email.

Notify me of new posts by email.