In-Depth

Spyware Meets Its Match -- Almost

Microsoft's anti-spyware tool works well enough, but some readers question its categorization and detection capabilities.

Spyware is here with a vengeance. A recent study by research firm IDC revealed that more than two-thirds of the world's workplace computers are infected with some form of spyware or malware. This translates into untold hours of frustration, lost productivity and serious security risks.

In fact, the 600 global organizations surveyed for the November 2004 study rated spyware as the fourth greatest threat to enterprise network security, which led IDC to predict that anti-spyware software revenue will grow to $305 million in 2008, up from $12 million in 2003.

Those kinds of numbers don't go unnoticed at Microsoft. Last December, the company bought anti-spyware firm Giant Software. Microsoft quickly repurposed Giant's tool, renamed it and released it as a free beta. (While Microsoft initially renamed it Windows AntiSpyware, at press time it had renamed it again to Windows Defender.) By most accounts, Microsoft Windows AntiSpyware works well. It sports Giant's admired spyware detection features, and leverages an inside line on Windows to make spyware removal and cleanup efficient and stable.

"It's Microsoft-made, so it knows how to remove something when it finds it," says Neal Zimmerman, northeastern field services manager at a nationwide education firm. Zimmerman's company has rolled out the beta to more than 3,000 Windows XP and 2000 machines. "It knows all the registry keys to look in and knows all the DLL associations, so it can rebuild things properly."

Most users find Microsoft's tool is reliable for detecting spyware. Nawar Aljanabi, senior systems administrator at Sierra Systems Group in Vancouver, British Columbia, has it installed on both his home and work machines. He also uses other detection tools like Lavasoft's Ad-Aware and Webroot Software's Spy Sweeper. "I like to compare the results between Microsoft's and the other third-party tools," he says, "but it catches the same ones the others do."

Microsoft Windows
AntiSpyware Beta (Now called Windows Defender)

Free to currently licensed Windows customers
Microsoft Corp.
800-426-9400
www.microsoft.com

William Felton agrees with that assessment. "I've been thrilled with it," says Felton, a network specialist for the Des Moines Public Schools in Des Moines, Iowa. "I tried it on two machines here and at home. It's been flawless."

Windows AntiSpyware's full feature set is what most impresses Dave Stambaugh, a systems administrator at Cleveland, Ohio-based Gallo Displays. "I think it's a very well-rounded product," he says. "It has a lot of features that let you delve into things that normally users wouldn't know about, like browser helper objects."

Giant Steps
Not all users are convinced. Richard Schulman, IT director at Kidde Fire Fighting in Exton, Pa., spent most of 2004 searching for a comprehensive anti-spyware tool to roll out to his company's 200 XP workstations. He eventually discovered Giant Software. "I had tried a number of other products. Then I found Giant, installed it on my home computer and thought it was great," he says. When he went back to purchase the tool, he learned that Giant had been bought by Microsoft.

Schulman was hoping for a single solution to root out spyware, and thought he had found it in Giant's tool. "The Giant product seemed to do it—until Microsoft bought it," he says. "Usually, Microsoft will buy a product and then make it better. This seems to be a product they bought and made it worse."

Schulman plans to remove the tool from his home systems, and has scrapped plans for a company-wide rollout. "At this point there would be no reason for me to roll it out at work because it honestly doesn't do anything," he says.

Felton says his version of Windows AntiSpyware has grown disconcertingly quiet of late, but the tool worked well during testing. He recently used it to visit a "crack" site—a site notorious for passing along virus and spyware infections.

Felton configured a machine with Windows XP Service Pack 2, Symantec's Norton AntiVirus and Windows AntiSpyware. Then he visited the site. "It came up rapid fire that my machine was being attacked," he says. "Symantec caught one virus attempt, Service Pack 2 kept the pop-ups from coming up, and the AntiSpyware detected about a dozen or so spyware attempts. It caught everything, so I know it's working."

Interface Issues
Microsoft would do well to rework the interface so all of its features and capabilities are more obvious and readily accessible, says James Clemens II. For example, while it's relatively straightforward to run a quick scan with Microsoft Windows AntiSpyware, executing a more in-depth scan requires paging through a couple of screens. "The quick scan does nothing that I can see," says Clemens, publisher at Micaspecialties.org, a computer security consultancy in Panama City, Fla. "If you don't set it up to do a full scan, you're likely to miss things. And I've run into a lot of people who weren't even aware that the full scan exists." While the scanning capabilities are indeed there, that quirk could lead to fewer spyware detections.

Other features that Clemens appreciates, although he wishes they were easier to find, are its ability to investigate browser helper objects—plug-ins installed by some forms of spyware—and the fact that it will restore browser settings hijacked by malware or spyware. "It has a lot of great features, but they're buried. If you don't know they're there, you might not realize it," he says.

Another reason some users may have missed spyware incidents with Microsoft Windows AntiSpyware is that updates tend to be sporadic. "Some machines don't pull down the AntiSpyware updates, even when they're set to automatically keep the signatures updated," says Pete Salak, an IT engineer at LAN Services LLC in San Jose, Calif.

The manner in which Windows AntiSpyware categorizes some spyware and malware could also lead to reduced detection For example, it recommends that you allow certain instances of spyware, such as software from Claria Corp. You can still block Claria software, but uninformed users may automatically follow Microsoft's recommendation, which could lead to problems. That categorization gaffe led to such user outcry that Microsoft was forced to post this explanation: www.microsoft.com/athome/security/spyware/software/claria_letter.mspx.

With those issues in mind, most users agree that the best way to fend off spyware is to run multiple anti-spyware tools. "You'll never catch everything with just one anti-spyware program, whether it's Microsoft, Ad-Aware, Spybot-Search & Destroy or Webroot," says Stambaugh. "They all do good jobs, but for some reason, one tool can't catch everything. It's common knowledge that you should definitely run more than one."

5 Common Gripes: Windows AntiSpyware
Categorization Confusion: Microsoft shouldn't recommend that users allow Claria or any other software that acts like spyware.

Flaky Updates: When machines are set up to automatically pull down AntiSpyware updates, some do and some don't. Updates need to be more consistent.

Muddy Interface: The tool contains several important features that are buried and difficult to find.

More Admin Controls: Windows AntiSpyware needs more administrative-level controls so administrators can set block lists, lock it down and hook into other tools like SMS.

Dearth of Support: Windows AntiSpyware runs on XP and 2000 machines. Users say they would like to see it run on Windows 98 machines as well.

— J.C.

In Control
Perhaps the biggest change users would like to see is more administrative-level controls to make AntiSpyware easier to deploy and manage in a corporate setting. For example, Felton says he can not roll out the software to his school district because the school's network operates behind a proxy. "The tool can't cross the proxy to get updates," he says.

Others would like more control over what Windows AntiSpyware allows and does not allow. Right now, when it detects spyware, Windows AntiSpyware prompts you to either allow or block the attempt. "Uneducated users may choose to allow something they shouldn't or choose to block something that they should allow," says Zimmerman.

This became a problem at his company, especially when Windows AntiSpyware detected logon scripts. "The first time we used it some users saw the pop-up about the logon scripts and didn't know what to do. They ended up blocking them, and we had to go in and reset all the settings."

Although most users say they're happy with Windows Antispyware, many have yet to roll it out to every machine in their network because it is still in beta. "It's been in beta for eight or nine months now, which is a long time for a beta," says Stambaugh. "They need to get it out."

Clemens says Microsoft has told him it will release Windows AntiSpyware in December and that it will remain free to consumers. He has also heard it will be rolled into Microsoft's upcoming OneCare toolset, as well as being part of Windows Vista when that debuts sometime next year. "It will be free for consumers, but it will also be available in corporate versions in OneCare and Windows Vista—and Microsoft may charge for that," he says, adding that the extra functionality and administrative controls would be worth it. "I'd pay for that," he says.

Featured