LISTSERV mailing list manager LISTSERV 16.5

Help for IT-DISCUSS Archives


IT-DISCUSS Archives

IT-DISCUSS Archives


IT-DISCUSS@LIST.UVM.EDU


View:

Message:

[

First

|

Previous

|

Next

|

Last

]

By Topic:

[

First

|

Previous

|

Next

|

Last

]

By Author:

[

First

|

Previous

|

Next

|

Last

]

Font:

Proportional Font

LISTSERV Archives

LISTSERV Archives

IT-DISCUSS Home

IT-DISCUSS Home

IT-DISCUSS  February 2005

IT-DISCUSS February 2005

Subject:

Article on anti-spyware/adware effectiveness

From:

Kor Kiley <[log in to unmask]>

Reply-To:

Technology Discussion at UVM <[log in to unmask]>

Date:

Fri, 4 Feb 2005 15:53:16 -0500

Content-Type:

text/plain

Parts/Attachments:

Parts/Attachments

text/plain (322 lines)

This article is from Windows Secrets Newsletter edited by Brian Livingston.

According to this article most malware removal tools are not very
effective and Spybot Search & Destroy and Adaware are no longer the most
effective tools--even together:

Kor

*Anti-adware misses most malware*

By Brian Livingston

*Now that 80% of home PCs in the U.S. are infected with adware and
spyware, according to one study
<http://WindowsSecrets.com/links/36983d/361c84h/?u=www.staysafeonline.info%2Fnews%2FNCSA-AOLIn-HomeStudyRelease.pdf>,
it turns out that nearly every anti-adware application on the market
catches less than half of the bad stuff.*

That's the conclusion of a remarkably comprehensive series of
anti-adware tests conducted recently by Eric Howes, an instructor at the
University of Illinois.

Howes, a well-known researcher among PC security professionals,
collected 20 different anti-adware applications. He then infected a
fresh install of Windows 2000 SP4 and Office 2000 SP3 with several dozen
adware programs in separate stages. Finally, he counted how many active
adware components were removed by each anti-adware product.

(Note: I use the single term "adware" in this article to refer to both
"adware" and "spyware." Since it's not necessary for a spyware program
to "call home" to be disruptive, the distinction between adware and
spyware is meaningless. All such programs display ads or generate
revenue for the adware maker in some other way. )

Howes's tests were conducted over a period of weeks in October 2004. His
results were mentioned at the time in several places, including Slashdot
<http://it.slashdot.org/article.pl?sid=04/11/23/0331228&tid=172&tid=158&tid=201&tid=218>
and eWeek
<http://WindowsSecrets.com/links/36983d/2a320eh/?u=www.eweek.com%2Farticle2%2F0%2C1759%2C1731474%2C00.asp>.


Unbelievably, however, none of these commentators bothered to print a
simple chart showing which anti-adware application did the best job at
removing the unwanted components. Even Howes himself hasn't posted such
a summary. In a telephone interview, Howes exhibited both modesty and
perfectionism, implying that his work wasn't yet done to his
satisfaction  despite the fact that his tests are some of the most
extensive I've ever seen.

Howes's test results sprawl over six long Web pages, with no overall
totals or summary of the figures. It's a daunting body of data, but its
bottom line is explosive. Adware seems to be evolving much faster than
anti-adware, and the battle is so far being won by the adware side.

For this issue of the Windows Secrets Newsletter, therefore, I've
complied Howes's figures into a straightforward chart, shown below. I
removed five products that didn't complete all of Howes's tests for a
variety of reasons. What's left is a revealing rating, from the top to
the bottom of the anti-adware heap.

Each anti-adware application, according to Howe, removed a certain
percentage of "critical" adware components. These are executable .exe
and .com files, dynamic link library (.dll) files, and Windows Registry
entries (autorun commands and the like).

Almost all the anti-adware programs that were tested removed fewer than
half of the hundreds of adware components Howes cataloged. The best at
removing adware was Giant AntiSpyware, but even that program removed
less than two-thirds of a PC's unwanted guests.

*Giant AntiSpyware catches 63%, tests say*

Howes's tests were conducted before the Microsoft Corp. announced
<http://WindowsSecrets.com/links/36983d/b30337h/?u=www.microsoft.com%2Fpresspass%2Fpress%2F2004%2Fdec04%2F12-16GIANTPR.asp>
in December that it was purchasing Giant Company Software outright. For
that reason, the tests use the version of Giant AntiSpyware that was
available in October and not the newer Microsoft beta version that's
currently available.

Even so, with Giant's application removing 63% of a PC's adware
components, and its nearest competitor, Webroot Spy Sweeper, removing
less than 50%, it's clear that Microsoft has a potential winner on its
hands.

In the following table, which was reviewed by Howes himself before its
publication here, the *Adware Fixed* column represents the percentage of
critical components successfully removed, not just detected, by each
product (higher percentages are better). The *False Positives* column
shows the number of benign Windows files that were incorrectly reported
by a product as adware (lower numbers are better):

        *Product*       *Adware Fixed*          *False Pos.*
        Giant AntiSpyware       63%             0
        Webroot Spy Sweeper     48%             0
        Ad-Aware SE Personal    47%             0
        Pest Patrol     41%             10
        SpywareStormer  35%             0
        Intermute SpySubtract Pro       34%             0
        PC Tools Spyware Doctor         33%             0
        Spybot Search & Destroy         33%             0
        McAfee AntiSpyware      33%             9
        Xblock X-Cleaner Deluxe         31%             1
        XoftSpy         27%             3
        NoAdware        24%             0
        Aluria Spyware Eliminator       23%             3
        OmniQuad AntiSpy        16%             1
        Spyware COP     15%             0
        SpyHunter       15%             1
        SpyKiller 2005  15%             2


Howes didn't test the anti-adware programs in the above list against a
program called CoolWebSearch (CWS). This little bugger mutates every few
days, it seems. CWS actually requires a completely separate anti-adware
program, CWShredder, which is constantly evolving along with the
nuisance. This is explained in more detail later in this article.

The fact that anti-adware products fail to remove all or even most
adware components has been an open secret among security professionals
for some time. For this reason, tech writers often say, "You should
install two different programs and run both of them for maximum protection."

To test this assertion, I compiled Howes's raw data into a new table
showing the removal rate of the best app, Giant AntiSpyware, with every
other tested product. According to this analysis, combining Webroot Spy
Sweeper with Giant AntiSpyware did the most to remove unwanted
components. But the combination of the two apps increased Giant's 63%
success rate only 7 percentage points, to 70%:

        *Giant AntiSpyware plus...*     *Total Adware Fixed*
        Webroot Spy Sweeper     70%
        Ad-Aware SE Personal    69%
        PC Tools Spyware Doctor         68%
        Pest Patrol     67%
        Spybot Search & Destroy         67%
        Spyware Stormer         67%
        Spyware COP     66%
        Aluria Spyware Eliminator       65%
        Intermute SpySubtract Pro       65%
        NoAdware        65%
        XsoftSpy        65%
        McAfee AntiSpyware      64%
        OmniQuad AntiSpy        64%
        SpyHunter       64%
        SpyKiller 2005  64%
        Xblock X-Cleaner Deluxe         64%


Finally, the computer press often recommends that the two anti-adware
products that should be used together are Ad-Aware SE Personal and
Spybot Search & Destroy. That preference may have become the
conventional wisdom because both of these products have low-end,
freeware versions. PC World
<http://WindowsSecrets.com/links/36983d/211307h/?u=www.pcworld.com%2Freviews%2Farticle%2F0%2Caid%2C115939%2Cpg%2C6%2C00.asp>,
PC Magazine
<http://WindowsSecrets.com/links/36983d/6095b4h/?u=www.pcmag.com%2Farticle2%2F0%2C1759%2C1618804%2C00.asp>,
and other publications have recommended this combination as recently as
June and August, respectively.

Ad-aware and Spybot may have been a great combo back then. But adware
apparently moves much faster than these two companies do. According to
Howes's data, the two programs together barely removed half the adware
components on an infected PC:

        *Ad-Aware SE Personal plus...*  *Total Adware Fixed*
        Spybot Search & Destroy         54%


I found no combination of any two anti-adware programs that removed more
adware components than Giant AntiSpyware and Webroot Spy Sweeper, based
on Howes's data. Removing only 70% of adware, unfortunately, isn't good
enough. A much better strategy is to prevent adware from getting into
your systems in the first place. I'll cover that next.

*How to defend yourself against adware*

First, let me make my opinion clear: The installation of adware should
be illegal and harshly punished. Adware has exploded because it offers
big economic incentives for its sponsors. They'll never adequately
inform PC users about their software before it's installed. This
troubling aspect of adware will never be wished away.

Only software that a PC user specifically consents to should legally be
able to install  and "end-user license agreements" that stretch off the
screen should never be counted as consent. (This isn't a knock on
"ad-supported software," such as the Opera browser. Such legitimate
software is clearly integrated with its advertising and makes it easy to
shut off the ads by registering.)

In reality, today's tech-illiterate legislatures will never ban adware 
if they could even think of an effective legal approach to do so. We
need to engage the battle on a technical level instead.

To understand adware, you first need to know how PCs get it. The ways
that Howes obtained the adware he used in his tests provide us with some
perfect examples:

    * *Software downloads.* For one group of tests, Howes downloaded and
      installed Grokster, a popular peer-to-peer file-sharing program,
      from CNET Download.com. Installing Grokster and clicking OK in its
      subsequent dialog boxes loaded 15 separate adware programs,
      containing 134 "critical" executable components, by Howes's count.
      This source of infection would compromise even Windows XP with its
      new Service Pack 2 (SP2).
    * *Drive-by downloads.* To set up another group of tests, Howes used
      Internet Explorer to visit the following Web locations: 007 Arcade
      Games (a games site), LyricsDomain (a song lyrics site), and
      Innovators of Wrestling (yup, a wrestling site). This resulted in
      23 different adware programs being installed, carrying 138
      components, Howes says. Drive-by downloads such as these are now
      less of a problem for users who've installed XP SP2.
    * *You can't step into the same river twice.* For yet another test,
      Howes visited the wrestling site again, but on a different date.
      The makers of adware must have signed a lot of distribution
      contracts with the site in the interim. Howes says his PC picked
      up 25 adware programs and 153 components on that one visit alone.
      (You'll notice that I didn't link to the examples I cited above,
      and I strongly recommend that you avoid trying any of them.)

It's not enough to say "PC users should be more careful." Computer
professionals, instead, have a duty and an obligation to prevent adware
from infecting their PCs or anyone else's. Here are some steps to take:

    * *Use Giant AntiSpyware (or install the MS beta), Webroot Spy
      Sweeper, and CWShredder.*
      At the moment, this is the short list of programs that appear to
      remove the largest number of adware components. I recommend that
      you buy the registered versions of these applications and keep
      them constantly updated. The few dollars involved are well worth
      it, compared to the damage that can be done by a rogue program
      controlling your PC.

      Microsoft hasn't yet announced whether its version of the Giant
      application will cost money or be free after the beta period is
      over  stay tuned. (Note: The MS beta is incompatible
      <http://WindowsSecrets.com/links/36983d/2ba995h/?u=support.microsoft.com%2F%3Fscid%3Dkb%3Ben-us%3B892374>
      with the MS Media Center Extender and has other 0.9-type issues.)

      See Giant AntiSpyware download
      <http://WindowsSecrets.com/links/36983d/421893h/?u=www.download-ware.com%2FUtilities%2FSecurity%2FGIANT_AntiSpyware_31269.html>,
      Microsoft AntiSpyware beta
      <http://WindowsSecrets.com/links/36983d/5f5deah/?u=www.microsoft.com%2Fathome%2Fsecurity%2Fspyware%2Fsoftware%2Fcurrentcustomers.mspx>,
      Webroot Spy Sweeper
      <http://WindowsSecrets.com/links/36983d/2ab345h/?u=www.webroot.com%2F>,
      CWShredder
      <http://WindowsSecrets.com/links/36983d/e3bd4bh/?u=www.intermute.com%2Fspysubtract%2Fcwshredder_download.html>.


    * *For prevention, install IE-SPYAD and Spyware Blaster. * IE-SPYAD
      is a list maintained by Eric Howes of approximately 8,900 Web
      sites that are known to do things like install adware, hijack your
      browser home page, etc. Merging the list into your Windows
      Registry puts these sites into IE's Restricted Sites zone. They
      can't do much of anything to you then. The list, as of this
      writing, requires manual updating, but Howes hopes to automate the
      process soon.

      Spyware Blaster is freeware by Javacool Software that Howes
      recommendeds to guard against adware installs. A registration fee
      of $9.95 USD enables the auto-update feature of the software,
      which Howes encourages. Javacool also makes a related program,
      SpywareGuard.

      As commercial anti-adware programs develop their own always-on
      defenses, they may conflict with alternatives such as Spyware
      Blaster. Check the maker's documentation for possible
      incompatibilities before installing multiple products.

      See IE-SPYAD
      <http://WindowsSecrets.com/links/36983d/527e23h/?u=netfiles.uiuc.edu%2Fehowes%2Fwww%2Fresource.htm>,
      Spyware Blaster
      <http://WindowsSecrets.com/links/36983d/78b990h/?u=www.javacoolsoftware.com%2Fspywareblaster.html>.

    * *Read up on Eric Howes's site.* Aside from Howes's postings about
      his anti-adware test suite, linked to below, a particularly good
      read is his analysis of so-called anti-adware programs that are
      actually Trojan horses. People are so desperate to get rid of the
      adware that's slowing their systems to a crawl, Howes says, that
      too often they grasp at anything that promises a fix. See his list
      of rogue/suspect anti-spyware
      <http://WindowsSecrets.com/links/36983d/0bb122h/?u=www.spywarewarrior.com%2Frogue_anti-spyware.htm>.

    * *For big problems, consider stronger tools.* HikackThis, for
      example, is a deep-analysis utility that examines the Registry and
      sectors of hard disks where adware often lurks. It's not a tool
      for novices, but a serious scalpel for those who are faced with
      major surgery on their PC. It produces log files that can be
      analyzed by experts, many of whom help PC users by volunteering
      their time in online forums. HijackThis quick start
      <http://WindowsSecrets.com/links/36983d/8e8962h/?u=www.tomcoyote.org%2Fhjt%2F%23Top>

    * *Keep your security baseline updated.* In this issue of the
      Windows Secrets Newsletter, we've begun a regular section on the
      six elements needed to protect your PC. This section appears below
      <imap:[log in to unmask]:993/fetch%3EUID%3E/INBOX%3E77317#baseli>.

It's absolutely absurd that PC users must download, install, and update
multiple programs just to keep their machines from silently accumulating
crapware from morally-challenged Web sites. It's criminal that the
leading ISPs and software giants of the world didn't move earlier to
prevent these nuisances from taking over the majority of consumers' PCs.

The underlying reason that adware has compromised the entire Internet is
that there's big money to be made. The best analysis of this I've seen
is by Benjamin Edelman, a Harvard Law School student. He's documented
almost $140 million in recent investments by Silicon Valley venture
capitalists in just four of the largest adware makers. See list of
adware angels
<http://WindowsSecrets.com/links/36983d/8b80c9h/?u=www.benedelman.org%2Fspyware%2Finvestors%2F>

For those who are interested in deeper research on adware, links to Eric
Howes's raw data on his comparative tests are posted on his anti-spyware
testing
<http://WindowsSecrets.com/links/36983d/7ee031h/?u=spywarewarrior.com%2Fasw-test-guide.htm>
page.

To send us more information about adware, or to send us a tip on any
other subject, visit WindowsSecrets.com/contact
<http://WindowsSecrets.com/links/36983d/37ef18h/?u=WindowsSecrets.com%2Fcontact>.
You'll receive a gift certificate for a book, CD, or DVD of your choice
if you send us a comment that we print.

Top of Message | Previous Page | Permalink

Advanced Options


Options

Log In

Log In

Get Password

Get Password


Search Archives

Search Archives


Subscribe or Unsubscribe

Subscribe or Unsubscribe


Archives

June 2021
May 2021
April 2021
March 2021
February 2021
January 2021
December 2020
November 2020
October 2020
September 2020
August 2020
July 2020
June 2020
May 2020
April 2020
March 2020
February 2020
January 2020
December 2019
November 2019
October 2019
September 2019
August 2019
July 2019
June 2019
May 2019
April 2019
March 2019
February 2019
January 2019
December 2018
November 2018
October 2018
September 2018
August 2018
July 2018
June 2018
May 2018
April 2018
March 2018
February 2018
January 2018
December 2017
November 2017
October 2017
September 2017
August 2017
July 2017
June 2017
May 2017
April 2017
March 2017
February 2017
January 2017
December 2016
November 2016
October 2016
September 2016
August 2016
July 2016
June 2016
May 2016
April 2016
March 2016
February 2016
January 2016
December 2015
November 2015
October 2015
September 2015
August 2015
July 2015
June 2015
May 2015
April 2015
March 2015
February 2015
January 2015
December 2014
November 2014
October 2014
September 2014
August 2014
July 2014
June 2014
May 2014
April 2014
March 2014
February 2014
January 2014
December 2013
November 2013
October 2013
September 2013
August 2013
July 2013
June 2013
May 2013
April 2013
March 2013
February 2013
January 2013
December 2012
November 2012
October 2012
September 2012
August 2012
July 2012
June 2012
May 2012
April 2012
March 2012
February 2012
January 2012
December 2011
November 2011
October 2011
September 2011
August 2011
July 2011
June 2011
May 2011
April 2011
March 2011
February 2011
January 2011
December 2010
November 2010
October 2010
September 2010
August 2010
July 2010
June 2010
May 2010
April 2010
March 2010
February 2010
January 2010
December 2009
November 2009
October 2009
September 2009
August 2009
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004
August 2004
July 2004
June 2004
May 2004
April 2004
March 2004
February 2004
January 2004
December 2003
November 2003
October 2003
September 2003
August 2003
July 2003, Week 1
July 2003
June 2003
May 2003
April 2003
March 2003
February 2003
January 2003
December 2002
November 2002
October 2002
September 2002
August 2002
July 2002
June 2002
May 2002
April 2002
March 2002
February 2002
January 2002
December 2001
November 2001
October 2001
September 2001
August 2001
July 2001
June 2001
May 2001
April 2001
March 2001
February 2001
January 2001
December 2000
November 2000
October 2000
September 2000
August 2000
July 2000
June 2000
May 2000
April 2000
March 2000
February 2000
January 2000
December 1999
November 1999
October 1999
September 1999
August 1999
July 1999
June 1999
May 1999
April 1999
March 1999
February 1999
January 1999
December 1998
November 1998
October 1998
September 1998
August 1998
July 1998
June 1998
May 1998
April 1998
March 1998
February 1998
January 1998
December 1997
November 1997
October 1997
August 1997
July 1997
May 1997
April 1997
March 1997
February 1997
January 1997
December 1996
November 1996
October 1996
September 1996
August 1996
July 1996
May 1996
December 1995
November 1995
September 1995
August 1995
March 1995

ATOM RSS1 RSS2



LIST.UVM.EDU

CataList Email List Search Powered by the LISTSERV Email List Manager