Tuesday, January 18, 2005

Another Nice Thing from Microsoft

This is from Risks Digest 23.66:

Date: Fri, 7 Jan 2005 13:49:15 -0800
From: Rob Slade
Subject: Microsoft AntiSpyware beta - quick review

The beta version of Microsoft's Anti-Spyware program (purchased from Giant) is available at http://www.microsoft.com/downloads/details.aspx?familyid=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&displaylang=en&Hash=5BMW635

The beta version is about a 6.4 meg download, and can be downloaded as a file in order to copy and install it onto other machines. That's very nice, and a departure from Microsoft's often heavy-handed approach.

Installing offers you a few options: do you want to set it to automatically update (I did), do you want it to install real-time protection (I did: so far it hasn't interfered with much, but I haven't used it much, either), and do you want to join Spynet. Spynet is not an invitation to join a kind of corporate CIA, but will report on "suspect" files. There is a fair amount of information on what it collects, if you ask for it. It seems to send information about file sizes and an MD5 hash back to HQ, but not, seemingly, the suspect file itself. In any case, there wasn't enough information on what it *doesn't* collect for me to feel comfortable, so I turned it off. (I hope.)

The installation seems to default to a reasonably protected mode: the defaults are for auto updating, real-time protection, and scheduled scans (although the schedule is for 2 am).

When you start up the program, it is initially set for a quick scan. I changed that to a full scan, which took about half an hour on my machine.

From a quick test, the MS antispyware, at least in beta, falls between Spybot S&D and Adaware in terms of detection. Spybot is fairly conservative, and only deals with stuff that is pretty certain to be spy/adware, whereas Adaware will detect a bunch of other stuff. The MS product detected one copy of BackWeb (inactive) that Spybot had not, and detected about 38 copies of 15 versions of other stuff from my samples directory. (Adaware quarantined about 60.) The items detected all seem to have a least some remote access component, even if it is rather limited (such as BadTrans.B, that drops a keylogger). Oddly, it only detected two of my extensive collection of Bagles.

You can ask the program to deal with individual threats in different ways, although seemingly not individual files. (As a researcher, I like that. In terms of protection, I'm not as sure.) The options are to remove, quarantine, ignore, or always ignore. The program usually defaults to quarantine, although some threats are considered more serious, and marked to remove. The explanation of "always ignore" is not detailed enough, as far as I am concerned: does this mean always ignore this particular file, or always ignore this threat?

You can also specify certain directories to scan, or to ignore. Again, as a researcher I really appreciate the ability to tell it so ignore my sample directory. Unfortunately, this option doesn't work properly: it scans directories you tell it to ignore, regardless. When I told it to scan *only* my sample directory, it seemed to scan a fair amount of other stuff as well. Again, from a protective standpoint, this is probably a good thing.

At the moment, after a very quick test, I'd provisionally recommend the use of the MS/Giant antispyware program, at least in fairly restricted and manual mode. I'd be interested in hearing from others who have tested the real-time operations more extensively, and particularly from anyone who has tested the Spynet capabilities, and what information is returned thereby.

http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
I haven't tried it yet.

No comments: