Failing Grades For Most Anti-Spyware Tools

serbach writes "Steve Gibson posted this link to a superb test of about two dozen top Anti-Spyware programs: Eric L. Howes conducted the test over a two-week period in October. The results surprised me: only 3 ASW programs had a 'batting average' of better than .500 when it came to eradicating the broad range of spyware in the test. Freeware star Spybot Search & Destroy came in a distant 7th with an average of only .376. The top three? Giant Anti-Spyware, Spy Sweeper, and Ad-Aware. These test results are well worth your time."

It's interesting

[Anonymous Coward]

The attitude to directed advertising programs or "spyware" on Slashdot. Especially when you step outside the parochial echochamber that is Slashdot discourse and speak to people who actually use these programs. On the whole, they are actually happy to get these novelties for "free", like the funny little desktop buddy, or the search bar, weather report or stopwatch.

I used to work for one of the companies that distributed a "spyware" program through download.com, and we had continual PR problems with being lumped in with the worst offenders of the spyware world. We didn't do drive by installations, or hide our intentions: we just traded our customers data for use of our program. What, exactly is wrong with that? Why is Slashdot pretending all of us are as bad as each other, as if in this, as with all fields, there isn't a spectrum of behaviour?? Even some linux users are bad, just look at the DDOS at sco.com. I'm sure noone here would condone that behaviour.

(Posted anonymously, not interested in karma bonus.)

Interesting...

[Anonymous Coward]

...though I would have liked to see how the pre-emptive SpywareBlaster [javacoolsoftware.com] changed the results...

Re:none here

[Anonymous Coward]

What's your secret? I have Ad-aware, Spybot, SpywareGuard, Spyware Blaster, Zone Alarm on my main PC. I use Firefox. I hardly ever (to be honest) visit pr0n sites. I hardly ever do any P2P stuff. And occassionaly, I DO still find the odd malware on my PC.
Never is a loooong time. Even Sean Connery learned Never to Say Never Again.

Re:Spyware

[MoonFog]

A lot of the spyware you get is just cookies from servedby.com or something that registers what sites you visit etc. You're not safer from them on Linux than you are on Windows.As long as you accept cookies, they'll be there.

I just use Firefox's cookie handling. I disable cookies and choose to allow only certain sites to set cookies (such as gmail, online banking etc).

Is Windows fit for the internet?

[Viol8]

This isn't a standard issue MS bashing troll but you do have to question whether given the ease at which programs (which is what spyware is) can install themselves on someone elses computer with little or no user intervention , Windows is fit to be allowed on the internet. If all windows systems were taken offline then almost all viruses and the like would disappear almost immediately along with spambots and other unpleasent creations of the black hat fraternity. I'm not pretending this is feasible but you have to wonder what the net would be like if only relatively secure OS's were allowed to use it.

Re:It's interesting

[destinedforgreatness]

it's interesting that you've decided to go AC to mention you used to work for a company that wrote software that didn't conform to the beautiful utopia of "clean" OSS. I do not entirely agree that people who have Bonzi Buddy et al would be "actually happy" if they knew the inner workings. would you be happy with a car air freshener that reported which gas station you prefer?

hitman pro

[Anonymous Coward]

This is a very good solution :

http://www.freedownloads.nl/hitman_pro.htm

It's dutch and it runs Ad-aware, Spysweeper , Spybot S&D, Stinger, Spywareblaster , ect...automaticly....

Re:It's interesting

[cheezemonkhai]

Regardless, I don't see a problem with giving users the option to remove these things which trade their personal details.

• Who actually reads all the agreement to use the software?
• How many of them know their personal details are being sold?
• How many people know what is actually being collected.
• How many people got these "tools" from a random e-mail saying look this is cool?

I can hear what your saying, but I think the user is allowed the right to remove the spyware.
If the company doesn't want them to use the tool without the spyware then make it break without it and inform the user they removed the spyware which collects their details and would they like to reinstall it or remove the free "tool".

Sure some spyware is worse than others, but the user deserves the choice.

Re:none here

[rale, the]

I can concur with the grandparent. I have a windows box running xp, and use firefox and thunderbird. It lives behind NAT from my linux box, and I never see any spyware/malware crap.

I just ran Ad-Aware for the first time in a while (it told me my definition file was 109 days old), and it prompted me to go download an upgrade. Ironicly, it launched IE for this (firefox is definately set as default). Once it finished updating and running a full scan, it found 4 whole 'bad' things, which in this case were IE tracking cookies (doubleclick.net, etc). 2 of those 4 had a creation date of today, meaning they were picked up in the process of downloading that adaware update...

Re:none here

[NoMercy]

Seems to be more and more firefox is leaning towards the 'Weve blocked this, click here to find out why' approach, would be nice if this was extended to all areas including dangerous java programs/etc.

Re:It's interesting

[NoMercy]

1/4 the time your probably breaking the law when you do that, there are strict laws governeing what you can and can't do with information about european citizens. I know any 'information handler' which operates with the UK has to have a data protection statement, be registered as a data handler, and needs to keep all it's data on file for several years as any person must be able to get a copy of all the information held on themselves for no more than 10 pounds (about 30 dolars).

Sure your actions are still legal?

Re:It's interesting

[IO ERROR]

There's a big difference between an ad that someone can choose to click on or ignore, and a program you install on their computer which sends all of their data to your servers for you to do with whatever you want.

First of all, your program probably didn't disclose to the users that it was collecting personal information, or if it did, it was buried near the bottom of the license, which is to say you may as well not have disclosed it.

You may not have hid your intentions, but I'll bet you didn't show them either. How many of your users would have installed your program if you said right on the first screen "We collect your personal information and do whatever the hell we want with it"? Uh huh, that's what I thought.

There's a huge difference between a banner ad on someone's site and your typical spyware program.

Re:Spyware

[dave420]

What the heck are you on about? I run Windows, and I've had no problems with spyware ruining my PC or crashing it. I'm fed up with all this "ooh better stop using microsoft, otherwise your face will melt clean off" bullshit. I thought you guys were professionals? Why are you spouting this FUD about microsoft? If it was as bad as everyone here says, no-one would be able to use it at all, as their computers would be simultaneously blowing up and sending their credit card information to north korea.

There are PLENTY of things people can do in windows to protect themselves as much as they want. Suggesting moving to another operating system shows your real intentions here.

I apologise if this sounds pretty harsh, but I'm pissed off with the lack of professionalism or objectivity on this site.

Re:It's interesting

[Ilgaz]

If you state directly that program will sell your private habits, you are off to go.

I don't have problem with that myself.

I _hate_ one little, clever company named Limewire. Limesoft to be exact.

Those assholes recently tested SPYWARE on Mac OS X knowing the fact that mac users aren't so advanced on such things.

They used same tactic as they did on Top Moxie, on Win32 years ago. Coded it so system part (java.exe) will run it and if user runs an advanced firewall (not usual on mac too!) , Java will ask for permission to connect to net, NOT the spyware itself.

Advanced users figured it (thank god) and that "Adam" guy from Limesoft (boss) said "they were testing technology on macintosh, its pulled from installation now"

Do I remember that kind of answer and shameless response from somewhere? YES! It was same deal on Win32 topmoxie!

Notice something, I use "spyware" for Limewire, not whatever your product is. If you show users your intentions, you won't get much protest from them.

BTW, as mac users turned out to be "not that stupid", they removed "limeshop control panel" installation from later releases.

Limewire, on mac, while doing such "great inventions" as first spyware on OS x is currently number 1 on download.com mac edition... :)

When are you bundling your shit again Adam Fisk?

Re:It's interesting

[gad_zuki!]

I've found the opposite to be true and I've done tech support in a variety of atmospheres. Once "spyware" became a common word and we were able to talk about it, I have yet to hear anyone say "Yeah, I love the GAIN suite of helper apps." What I have heard is stuff like "I dont even know what that is, it just appeared one day." Sometimes I hear some pissed off outrage when they find out all those delays and crashes theyve been dealing with were caused by these semi-stealth installed programs and their privacy has been violated the whole time.

I think I met one dude who didn't care then the spyware kept multiplying. Afterall these vendors don't care about their customers, in fact they are hostile to thme, so why not abuse the system and turn that one downloaded app into more installs during an "update."

On top if it, a lot of these apps append the sig line in your mail client and professionally its makes the users who use email for work look bad. It makes them look stupid and incompetent. This kind of thing embrasses them quite a bit, and rightly so. A client is going to see a email full of multicolor characters with 4 links to GAIN and think, 'This guy is a moron.'

>Especially when you step outside the parochial echochamber

And once you step out of your "people are stupid/ignorant and dont deserve disclosure" stage you'll understand.

I am very glad both socially (people deserve disclosure and a legalese 10 page EULA isnt) and personally (Im sick of fixing computers) that spyware/adware is the kiss of death and now in the same league as spam and other scams.

Re:none here

[Taladar]

Even better would be to turn Web Developers off Java Script ;)

What surprises me is...

[wowbagger]

What surprises me is the fact that Mr. Gibson is able to find web sites that do "drive-by-installation" that are not taken down immediately.

You'd think that the hosts of "Innovators of Wrestling" would yank it if it were downloading crap onto people's computers without their knowledge - in violation of the LAW!

But then again, I've seen how well most System AdminDUHstrators manage their sites; perhaps my surprise is simply the result of my moring coffee not kicking in yet.

And here is a question for the class to consider: Given the difficulty of removing spyware in a machine which is running the spyware, why has somebody not taken Knoppix, Wine, the NT filesystem wrapper code, and a virus cleaner, and created a boot disk that would

1. mount the users disk using the NTFS in the kernel
2. locate the native NTFS DLL, MD5 check it, and assuming it is not corrupt use it to mount the system R/W
3. Use winelib to access the registry and clean it
4. Run the filescan and purge to remove the infections

. That way, you would need to reboot twice (once to boot into the CD, once back into Windows).

Granted, for me this question is of academic interest only - I don't run Windows anymore. But for those of us who have relatives still stuck in purgatory, this might be a better way to run.

Re:Spyware

[dave420]

Let's really see...

I can install apps x, y, z and utilities p, q & r.

The apps update themselves without my intervention.

There's no crap to put up with. I don't update my software, my software updates itself. This is what I mean - you're not telling the truth here. You're saying Windows is at the state it was 5 years ago, when it clearly isn't. As for spyware, just install adaware, and it'll protect you perfectly. Heck, I still use IE, and my computer is still mine, running without any spyware at all, with no intervention from me whatsoever.

It clearly is MS bashing if you misrepresent the truth on such a massive scale. From your post, a newcomer to computers would assume it's impossible to run an MS windows box without having to manually update ever single thing on it. That it's insecure and will become compromised within minutes. It's pure FUD, and not in the least bit true.

Re:It's interesting

[Anonymous Coward]

http://www.al-bab.com/arab/econ/nsbanks.htm

PRINCIPLES OF ISLAMIC BANKING

An Islamic bank is based on the Islamic faith and must stay within the limits of Islamic Law or the sharia in all of its actions and deeds. The original meaning of the Arabic word sharia was 'the way to the source of life' and it is now used to refer to legal system in keeping with the code of behaviour called for by the Holly Qur'an (Koran). Four rules govern investment behaviour:

1. the absence of interest-based (riba) transactions;
2. the avoidance of economic activities involving speculation (ghirar);
3. the introduction of an Islamic tax, zakat;
4. the discouragement of the production of goods and services which contradict the value pattern of Islamic (haram)

In the following part I explain these four elements give Islamic banking its distinctive religious identity.

Riba

Perhaps the most far reaching of these is the prohibition of interest (riba). The payment of riba and the taking as occurs in a conventional banking system is explicitly prohibited by the Holy Qur'an, and thus investors must be compensated by other means. Technically, riba refers to the addition in the amount of the principal of a loan according to the time for which it is loaned and the amount of the loan. While earlier there was a debate as to whether riba relates to interest or usury, there now appears to be consensus of opinion among Islamic scholars that the term extends to all forms of interest.

In banning riba, Islamic seeks to establish a society based upon fairness and justice (Qur'an 2.239). A loan provides the lender with a fixed return irrespective of the outcome of the borrower's venture. It is much fairer to have a sharing of the profits and losses. Fairness in this context has two dimensions: the supplier of capital possesses a right to reward, but this reward should be commensurate with the risk and effort involved and thus be governed by the return on the individual project for which funds are supplied.

Hence, what is forbidden in Islamic is a predetermined return. The sharing of profit is legitimate and that practice has provided the foundation for Islamic banking.

Ghirar

Another feature condemned by Islamic is economic transactions involving elements of speculation, ghirar. Buying goods or shares at low and selling them for higher price in the future is considered to be illicit. Similarly an immediate sale in order to a void a loss in the future is condemned. The reason is that speculators generate their private gains at the expense of society at large.

Zakat

A mechanism for the redistribution of income and wealth is inherent is Islam, so that every Muslim is guaranteed a fair standard of living, nisab. An Islamic tax, Zakat (a term derived from the Arabic zaka, meaning "pure") is the most important instrument for the redistribution of wealth. This tax is a compulsory levy, one of the five basic tenets of Islam and the generally accepted amount of the zakat is one fortieth (2.5 per cent) of Muslim's annual income in cash or kind from all forms of assessed wealth exceeding nisab.

Every Islamic bank has to establish a zakat fund for collecting the tax and distributing it exclusively to the poor directly or through other religious institutions. This tax is imposed on the initial capital of the bank, on the reserves, and on the profits as described in the Handbook of Islamic Banking.

Haram

A strict code of 'ethical investment' operates. Hence it is forbidden for Islamic banks to finance activities or items forbidden in Islam, haram, such as trade of alcoholic beverage and pork meat.

Furthermore, as the fulfilment or materials needs assures a religious freedom for Muslims, Islamic banks are required to give priority to the production of essential goods which satisfy the needs of the majority of the Muslim community, while the production and marketing of luxury activities, israf wa traf is considered as unacceptab

RTFS

[ajs318]

Imagine a cake department in a supermarket .....

CUSTOMER: Excuse me, miss. This cake. There doesn't seem to be an ingredients list on the box.
MANAGERESS: That's right, sir. There isn't one.
C: Why not?
M: Because it's a secret.
C: But how am I supposed to know what's in it?
M: We don't want you to know what's in it. If you knew what was in it, you might not buy it.

Would you buy a cake without an ingredients list? You don't know. It might contain animal fat. It might contain artificial colourings. It might contain nuts. It might contain radioactive isotopes.

I am genuinely curious as to what motivates people to run software knowing that they are not allowed to look at the source code. Fair enough, you may not understand it yourself. But people are not islands, and you probably know someone who could understand it, if you really needed it understood. And more to the point, if they won't show you the source code, why not? What don't they want you to see?

The only way you can ever know for certain what a piece of software is doing, is by reading the source code. If the suppliers don't want you to read the source code, that suggests to me that they have a problem with you knowing what it does. Which further suggests that it's probably dodgy.

Watch out for newer spyware's startup routines...

[Akardam]

I've recently seen a rash of new spyware that registers a .dll or ten into the TCP/IP stack, or even in some cases a device driver. Those are truly the beasts. And, of course, the normal Windows startup routines don't necessarily apply, since Windows will include the dll's at launch, and once they're hooked into a process, they'll go about their nasty business as part of what may otherwise be considered a legitemite executable. The line between spyware and a virus/worms/trojans these days is so incredibly thin, it's hard to see anymore.

If it hasn't already become obvious I'm all in favor of dropping large objects on the scumbags that make this kind of stuff. Say, a super-large special order 1000 ton ACME anvil, to start?

Re:none here

[Nephilium]

Actually... I'll take it a step further. It's not mental blindness, it's willful ignorance. These are the people that will say they don't want to know anything about "that computer stuff". After painfully explaining to them what was wrong with the machine (damn you new.net, damn you to hell!), and explaining why it was causing problems (it's sending you to different places then you want to go, think of it as a malicious gas station attendant that reverses all directions for his own sick amusment), they'll wait until after you leave, and then re-install it.

These are also the same people who argued that Windows ME was the same as Windows 2K, because the Millenium was in 2000.

Nephilium
Slab: Jus' say "AarrghaarrghpleeassennononoUGH" -- Detritus' war on drugs Terry Pratchett, Feet of Clay

Why isn't this illegal?

[krgallagher]

I recently began cleaning a friends computer of spyware. There were over 1,400 objects found by Adaware,and according to the article Adaware missed 25% of the infections. To make matters worse, even after eight reboots, running Adaware between each reboot, I still could not remove all the infections. I even tried mannually editting the registry. Now, thanks to this article, I may not have to reinstall the OS.

What I do not understand is how can this be legal. To me this is no different than a trojan (the viral type not the condom.) Maybe it does not self-replicate and spread, but it still hijacked my friends computer. I thought that the malicious or destructive control of a computer without the users consent was illegal according to federal law. Why is it the the government will go after script kiddies, but does not go after the corporate goons who are no better? Oh, wait, I forgot. Script Kiddies do not make political contributions. I'm going to email my congressman.

Re:Spyware

[99BottlesOfBeerInMyF]

Why are you spouting this FUD about microsoft?

My father and one of my brothers have windows machines. One is a locked down corporate XP pro SP1 laptop that is remotely administered by professionals. The other is a Windows ME home computer used for web surfing, e-mail, and video games.

About every other time I go to visit them, I walk them through spyware removal to make their machines run at a reasonable speed again. About once every three months, one of them calls me because their machine has become too bad to use and I talk them through it on the phone. They are both average, clueless users. If I could switch either of them to linux or the mac, I would in a heartbeat. My mother only calls for help with her imac when she forgets how to delete things in her webmail or she accidentally kicks the power cord out of the wall.

It is my professional opinion that anyone who does not actually need windows should switch, if they can afford to.

Re:none here

[VTBassMatt]

Computer science shows us that it's impossible to accurately detect a virus (some combination of undecideability and Rice's theorem, I'm thinking). Spyware is a "virus" in this sense, and since we can't detect viruses, we can't get rid of them. In theory, then, it's impossible to have a secure computer program (because even if it did, we couldn't detect that it had achieved such security).

Obviously there are heuristics that antivirus (and antispyware) programs use to "detect" viruses, but ultimately the virus-maker-versus-virus-detector problem is an arms race: virus-detectors try to keep up with virus-makers by discovered new heuristics to "detect" viruses, and virus-makers keep trying to outwit these new heuristics with ever-more-clever viruses.

In practice, a human being can detect the difference between a legitimate application and an unwanted application (hence the popups from firewalls and antivirus tools asking, "Do you want to allow this activity?"), but also in practice, many human beings do not exercise this ability. My grandmother, for example, sees those questions as a nuisance and simply clicks the left-most button no matter what the question asks.

Both in theory and in practice, this is an arms race and ultimately an impossibility.

Re:It's interesting

[hackstraw]

spyware almost always hides its true intentions deeply into some EULA nobody reads

spyware usually is very hard to uninstall

In other words, spyware like most spam depends on a business model based upon deception. Using deception in a business model is also known as fraud.

fraud (n.) -- A deception deliberately practiced in order to secure unfair or unlawful gain.

Fraud in the US is illegal.

Therefore, most spyware and spam are alread illegal in the US.

Look lawmakers you can give yourself another raise and take the rest of the day off. Your work is already done!

Re:none here

[The Patient]

User stupidity is still the number one security problem.

And a close second, or perhaps tied at number one, is the negative attitude of a lot of knowledgeable types. They're very quick to assume the average user is "stupid" because he doesn't know how to format a floppy disk, for example. I actually heard a couple of techs laughing about this behind someone's back the other day. Well, those two guys probably had to use DOS to format disks back in the day, but when's the last time you went to the store and bought an unformatted disk? The current crop of "average" users has never had to deal with that, so why would you assume that when such a situation arises, they're just going to know what to do? And when all they encounter is derision and ridicule when they ask questions, how likely is it that they're going to continue to ask questions so that they can learn?

And then there's the nerd factor. A lot of people, particularly young women, are terrified that if they display any computer-centric knowledge beyond the bare minimum needed to get by from day to day, they'll be tagged as a Poindexter and ostracized. Sure, you can tell them that they shouldn't give a rip about what other people think, but never underestimate the power of peer pressure. I had an interesting conversation about this topic with someone from some educational institution a couple of years back, and she said that it was such a problem that it was causing many young people to think twice about taking computer-related courses -- and that was leading to a shortage of qualified IT staff. This may have changed a bit today, but not a lot, I'd wager.

Recent case in point: after dropping the phone on my desk for the umpteenth time while tucking it between my neck and shoulder, so that I could look up something on the PC while talking to someone, I asked my manager for a phone headset. He figured that would be a good idea, and asked the young (20-ish) woman on the other side of the office if she'd like one, too. Her reply: "Ohmigod, I'd look like a NERD!"

Some time ago, this same person was asked by another employee how to perform some sort of basic (to you and me) operation one one of the other PCs in the office. She gave him some instructions, and tagged them with "Gee, I hope you don't think I'm a NERD for knowing that."

I doubt she's a prime candidate for reading up on what spyware is, how to avoid it, and then finding, downloading and installing something like Ad-Aware -- much less telling anyone else how to do so. And I think she's representative of a lot of "average" users.

Re:It's interesting

[Darthmalt]

My cousins gave me what was at the time a pretty decent computer with *shudder* winME that "didnt work". Because it wouldnt even finish booting anymore.

I started it in safe mode went to the startup menu, and fell in the floor laughing. The only thing wrong with it, besides the fact that it had ME on it, was that my cousin had d/l so many spyware/malware/tollbar crap that the computer didnt have enough processing power to get it all started.
after disabling all that crap and running spybot and adaware it started just fine.

Re:none here

[Shadwhawk]

I just fixed a client's machine that was heavily infected with spyware. While I was finishing up protecting the machine, I decided to look at his Zone Alarm programs list (my clients rarely have firewalls installed, so it didn't occur to me to check earlier).
There were something like two or three dozen spyware entries in the programs list. 90% of them were 'allowed'. And they were all manually configured! That means that Zone Alarm popped up "awojethk.exe wants to access the internet" warnings, the person clicked the "Remember this setting" box, and clicked yes!
Argh!