Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

By request: What is the best antispyware application?

September 26th 2006 in Uncategorized

Hello Tagshare – tell Wayne he owes me a Chivas [D]

"What is the best antispyware application?" is an oft asked question.  Unfortunately, gentle reader, the answer is one that you may not like.

In short, there is no magical prophylactic out there that will protect your computer from all spyware, or from the inevitable results of "unsafe hex".  So, as much as I would like this article to say "download and install Product X and you will be safe", that is not going to happen.

I have lost track of the number of times I have been asked to clean an infected PC, and the owner says to me "but I'm running  Product X, or Product Y – I thought I was protected".  I've also lost track of the number of times products such as AdAware, Spybot, Trend, and sundry other catch-all antispyware or antivirus product have been installed on a PC yet FAILED to PREVENT or properly CLEAN an infection.

You see, many antivirus and antispyware applications are "reactive".  A threat emerges and they react to it – studying the threat, and then writing and releasing definitions that detect it, leaving a window of opportunity when the threat is undetectable.

The malware world is not what is was back when AdAware, Spybot and the like came into being.  Back then, adware removal was easy.  All you had to do was delete a few files whose names never changed, and perhaps some registry entries.

But then randomly named files appeared, then hidden files, then super hidden files, then the bad guys started installing multiple services that monitored each other, instantly recreating/reinstalling removed malware, then came the rootkits, then writing to AppInit_DLLs making it well nigh impossible for old style cleaners to get rid infections.

Nowadays, I do not recommend AdAware *at all*, and only recommend products like Spybot to reduce the signal to noise ratio – that is, to get rid of the easy stuff so that I can concentrate on the big problems.

What we need to do is get past the idea of depending on what is effectively a monitored alarm system, and stop the bad guy *before* he climbs through the open window and trips an alarm.  By the time that alarm has been tripped, a lot of damage may have already been done.

Ok, so as we move away from detection of threats as they appear on our machines, towards preventing the badguys from being able to raise a threat at all (a subtle, but important distinction), how is this best achieved?  We take a multi-pronged approach.  We look at the operating system; we look at its patch level; we look at the Web browser; we look at user permissions; we look at the Web browser settings.

Ok, let's get to work.

Operating system:
Move away from Windows 95, 98, 2000 and XPSP1.  Upgrade to XPSP2.  Local Machine Zone lockdown (LMZ), Zone Elevation Blocks, and MIME Handling Enforcement all work together to make it that bit harder for the bad guys to get to us via the Internet.

Rather than repeat the content of one of my published articles, I'll send you to its URL for further information:
http://www.microsoft.com/windows/ie/community/columns/improvements.mspx

Security patches:
Download and install those security patches.  Turn on automatic updates and set it to check for updates every day (yes, I know, we have "Patch Tuesday" now, but products such as Windows Defender are not restricted to once a month updates, and we also want to get out-of-band security patches as soon as they are released – and believe me, if its out of band, you want to install it as soon as possible).

When the myspaces banner ad debacle occurred in July this year, over 1 million PCs were infected via an exploit that had been patched six months earlier!!!  In August, itnews.com.au reported that 50,000 PCs had been detected that had been infected via a specific exploit in just one week after a patch was released.  This is because the bad guys grab those patches, reverse engineer them and work out how to use the vulnerabilities those patches fix to infect as many machines as possible.  You have to patch, or you have to use one of the approved workarounds if you must test a patch before roll-out.

Internet Explorer:
The single most effective thing you can do to protect yourself from spyware on the Internet is to update to Internet Explorer 7.  Of course, if you are in a corporate environment you will need to check your Line of Business applications to ensure that they will continue to work. Read the RELEASE NOTES and make a judgment call based on the software that you run.

To be extra careful, you can search the general Internet Explorer newsgroup for mention of your software to see if others are having problems.

Now, as the following URL will show you, running IE7 will *NOT* protect you if you don't practice safe hex.  That is, if you reduce Internet Explorer's security settings, if you say yes to download prompts, if you believe, and click on, those ridiculous pop-ups and banner ads that trumpet false warnings about infection, or you allow pop-up advertisements (that are also often used to slip malware on to a PC) you will end up getting infected.

Malware in action – August 2006:
http://msmvps.com/blogs/spywaresucks/archive/2006/08/28/110588.aspx

Other Web browsers:
Don't assume that just because you use Firefox, or Opera that you are somehow "safe".  You're not.  Firefox and Opera will not protect you from unsafe behaviour and settings, and they have also been subject to their own exploits.  Search this blog for the word Firefox or the word Opera to find articles that I may have posted about vulnerabilities in those products.

Safety on the Internet:
As the Winfixer example above illustrates, we *must* start practicing "safe hex".  Pop-up advertisements, banner ads, and Web pages are all conduits for infection.   If anything tries to warn you that your PC is infected **and you did not go to that site and request a scan** DON'T BELIEVE IT!  Seriously.  If you really want to be sure, go to a reputable site like Trend or Ewido and conduct your own scan.

Remember, pop-ups and Web pages **cannot** see what is installed on your computer without the assistance of additional software which you must download and install first, so if a pop-up or banner reports that it has detected <whatever> it's lying.

There is a famous Microsoft essay entitled "The 10 Immutable Laws of Security" which can be found here:
http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx?mfr=true

Briefly, the 10 laws of security are:

 Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore

 Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore

 Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore

 Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more

 Law #5: Weak passwords trump strong security

 Law #6: A computer is only as secure as the administrator is trustworthy

 Law #7: Encrypted data is only as secure as the decryption key

 Law #8: An out of date virus scanner is only marginally better than no virus scanner at all

 Law #9: Absolute anonymity isn't practical, in real life or on the Web

 Law #10: Technology is not a panacea

But I still want to use antivirus and antispyware software – what do you recommend?

Ok, I'll answer your question, but you have to *promise* to keep your system patched, practice safe hex, and not assume that your choice of prophylactic is going to allow you to throw caution to the wind and do whatever you want online without risk of harm.

Forget AdAware and Spybot, ok?  They're not up to the job with the nasty stuff out there like Smitfraud, Vundo and their ilk.

This is what I recommend:

1.  Install IE7 (after reading the release notes and assessing whether it is compatible with essential applications).  Not only does it beef up your Web browser security, it has not been vulnerable to virtually every exploit published this year.

2.  You may want to consider Mike Burgess's HOSTS file.  It works by stopping your computer from getting to many known bad sites – that is, your computer will not be allowed to download stuff and *then* be stopped from running it (assuming it is not already too late)  – instead, access to the bad sites will be completely blocked, and the bad stuff won't get anywhere near you.  If a Web page tries to load something from a bad site, whether it be a pop-up, or a banner ad, a dangerous file, or even an entire Web page, IE simply won't get there because the URLs are all mapped to localhost (your local machine).  Mike's HOSTS file can be found here:
http://www.mvps.org/winhelp2002/hosts.htm

IMPORTANT DISCLAIMER:  The HOSTS file will not protect you from previously unknown or extremely new dangerous URLs, but it will do more than just about any product to reduce the risk surface.  It must be updated regularly, and you can subscribe to a mailing list that will alert you to updates.

3.  Windows Defender Beta 2 – but make sure you upgrade to Advanced Membership and turn on real time protection.  Windows Defender is a traditional "detection" product in many ways, but it stands out from the crowd because of SpyNet.  SpyNet is an early warning system about spyware and other undesirable software.  As Windows Defender is used around the world to scan systems, information about new threats that have been discovered is quickly circulated between SpyNet’s advanced members using the SpyNet Community Rating system for unclassified software.  This rating system shows us what other Windows Defenders users have been doing when particular software is discovered on their machines by displaying a bar graph which shows how many people have allowed, removed or blocked a particular program or item- so, you are warned not only about classified software, but also about unclassified software that the SpyNet community does not trust.

Windows Defender can be set to check for updates immediately before every scan.  Make sure you use that setting.

4. Antivirus.  For years I used Vet Antivirus until the product was bought out by Computer Associates and I became concerned at where the product was going, at which time Trend wooed me away.  Again, it must be updated regularly (all my systems are set to check for updates hourly), and I strongly recommend nightly scans (not weekly, as some recommend).

I strongly recommend AGAINST Norton and McAfee products.


5 comments to...
“By request: What is the best antispyware application?”

Sonic

What about Avast Antivirus Home Edition? As you strongly recommed against Norton and McAfee products, I really want to know your opinion about Avast product. Would you mind to put your comment about Avast product on your feeds or blog?



sbsfaq

Thank you Sandi – hopefully this will help some understand that just like speeding in a car – it's ok until you hit something or get caught!



war_child

LOL! are you serious? install IE7? I have not laughed so hard all week, get yourself mozilla or opera and most of your problems go away. I go weeks or even months and only gain about 20spyware using these alternate browsers. Also to get rid of the real nasty stuff I can recommend hijackthis and cwshredder.

Sandi: You're going to have to do more than say "get Firefox or Opera and most of your problems will go away".  Please read my latest article about the Firefox Zero Day scare, and then give us stats and cites please, not sentiment.  I can state categorically that IE7 has been immune to virtually every vulnerability that has been publicised this year.

You may "only gain about 20spyware" over weeks or even months using Firefox or Opera – for me, that's not good enough – I get *no* spyware using IE7 [:D]

Regarding fighting malware, those of us at the cutting edge of the fight against the hijackers know that CWShredder has been neglected for a very long time (ever since it was purchased by Trend Micro) and that it can't be depended on to get the new stuff.

HJT is only of use if you have a guide to help you decide what to remove, and may not help with the newest malware that uses rootkits.



wings_of_death

lmao, you say to install IE7 and you got "0" spyware. i call bs on you. why do you think majority of tech's use firefox?

Sandi says: That's exactly what I'm saying. 

As for the majority of techs using Firefox, got a cite for that. 

why do you think it's got such a massive following? because it has that cute little fox i hear you say?

Sandi says: Oh I dunno.. maybe its because some pay people to advertise Firefox and pay to get people to switch?  http://msmvps.com/blogs/spywaresucks/archive/2006/04/27/92754.aspx

bah. same goes for opera and other assorted browsers, the reason why they don't fall to spyware etc is that they're not targeted whereas ms products ARE.

Gotta agree with that, although the bad guys are focusing on the alternate browsers more and more.

and saying that firefox/opera is not good enough for you,

Actually, I have recommended Opera publicly many times for its download manager, and advertised Deepnet on my site, and recommended it, before it screwed up installations and file type associations one too many times – you haven't been reading my blog or site for very long, have you. 

that's just saying that you're too weak of an admin to investigate whether or not your appz will work on those products rather then the IE7 as you say testing your appz blah blah blah.

Sandi: <yawn>

you're a ms fanboi as you obviously believe that windows defender does a good job – you're crazy. do some more research without first launching into the ms products are so good.

Sandi: <yawn> again. And you're a Firefox fanboy – does that make us even?

also, recommending products like spybot is a joke, you obviously haven't had to fix a machine infected with spyware/malware have you?

Ok, now I *know* that you have no idea who I am, what I've done, or what you are talking about.  If you read my blog on a regular basis you'd know that your statement about whether or not I have had to fix a machine infected with spyware/malware isn't true.  I'm the person people call when the third party products fail. 

Go and read the 'by request' article again. I specifically recommend *against* spybot.  To be precise, I say "Forget AdAware and Spybot, ok?  They're not up to the job with the nasty stuff out there like Smitfraud, Vundo and their ilk."

why not recommend other proven products, like hijack this, spyware detector and delving more into detail of trend's anti-spyware? saying just having trend is ok is not, ive seen systems with the full suite of trend products take a pounding and then have had to clean up using above mentioned tools…like i said, you have no clue

Sandi: <yawn> HJT should not be used by the man in the street.  It is a diagnostic and analysis tool.

I have a long-standing troubleshooting page that discusses many different tools, for the beginners, and for experts.  You know where that page is, yes?

Again, if you read my blog you'll find instances where Trend has failed, and I've said so.  You'd also know that I don't use tools to clean up, I rip things out by hand.

I'll leave it to you to go do some reading.

good day.

Sandi: Ah, a polite finish.  I suppose that makes up for all that fanboi spouting.



wings_of_death

fair 'enuff, will go read some more, just was looking at sbsfaq.com and found this artcile about spyware interesting as it's such a plague these days

i'm always polite, just 'cos i bash you about doesn't mean i won't be polite about it

thanks for the tip on that link too, was good – and yes, i admit i never checked out your other stuff, just read your take on spyware from this post only

wings_of_death

 

Sandi: :o)  No problems.


On behalf of Robert S. Mueller III, director of the Federal Bureau of Investigation, FBI Cyber Division Assistant Director James E. Finch today presented certificates for “Exceptional Service in the Public Interest” to nine Microsoft employees, including Brad Smith, Microsoft Senior Vice President and General Counsel, for their assistance in the swift resolution of the […]

Previous Entry

A patch for the high profile VML Vulnerability has been released by Micrososoft. It resolves not only the public vulnerability but also additional issues discovered through internal investigations.  It is available via Windows Update, Microsoft Update, Autoupdate and WSUS.It only applies to IE5 and IE6 machines.  IE7 is immune to this (and most other) vulnerabilities.Security […]

Next Entry

Archives