Bigger Threats, Better Defense

Filling the Gaps: Anti-Spyware

Firewalls and antivirus scanners play valuable roles in protecting your system. But they may miss several types of marketing-driven parasites that fall under the general heading of spyware--though this category includes more than just spying applications. For example, browser hijackers, a form of adware, change Registry entries without your approval to redirect your Internet start page or to change the default search service that appears when you mistype a URL. Often called drive-by downloads, many hijackers take advantage of weak security settings, sometimes automatically installing themselves when you visit a Web site. The notorious Surfbar, for example, exploits a flaw in Internet Explorer that allows executable files to download to the user's PC. Also known as Junkbar or Pornbar, Surfbar changes Internet Explorer's start page to www.surferbar.com, drops hundreds of porn site shortcuts onto your desktop, and installs a toolbar pointing to dozens more. Other hijackers do ask for permission, but in a confusing way that may deceive you into consenting.

Genuine spyware monitors your Internet use, typically to determine what you do online and to deliver targeted advertising. Spyware usually comes packaged with shareware and freeware programs. Often, the end user licensing agreements for this "free" software disclose the real cost: You implicitly agree to allow remote monitoring by third parties that are interested in collecting marketing data or serving targeted ads. Utah recently enacted a state law banning spyware (see "Next: Outlawing Spyware?"). But this measure is unlikely to have much impact. For now, anti-spyware provides the best defense.

We evaluated five dedicated anti-spyware packages: Aluria Spyware Eliminator, InterMute SpySubtract Pro Version 2, Lavasoft Ad-aware 6 Plus, Network Associates McAfee AntiSpyware, and Spybot Search & Destroy. (New editions of two other popular utilities--PestPatrol and Webroot Spy Sweeper--were not available in time for our review.) We also tested the spyware-hunting capabilities of the antivirus scanners and other utilities contained in the Internet security suites from Network Associates, Panda, Symantec, and Trend Micro. Unfortunately, even the best performers managed to capture only a little more than half of our spyware samples. For the time being, your best strategy is to use multiple anti-spyware scanners.

Auto-immune problem? McAfee's Privacy Service attacks its antivirus app.
Auto-immune problem? McAfee's Privacy Service attacks its antivirus app.
During informal tests, we infected a system with an array of spyware. Norton identified only two of the seven spyware infections as they were occurring; PC-cillin and Panda alerted only on one each. When we ran the antivirus suite scanners on a system that had already been infected, they detected the executable file that creates the nefarious Surfbar infection, but they did not remove the installed toolbar, porn site shortcuts, and hijacked home page. Though McAfee's Privacy Service accurately detected all attempts to modify the Registry and urged us to reject them, it didn't detect the underlying processes in memory that were responsible for the attempts at modification. So as soon as we rejected one set of changes, another assault occurred, resulting in an endless cycle of alert and rejection until we finally capitulated to the infection.

Unlike antivirus apps that match incoming files against malware signatures to determine whether they are infected, anti-spyware products rely heavily on Registry keys and values. Spybot Search & Destroy and Ad-aware had the most reliable detection in our tests, but Spybot Search & Destroy was best at removing bad files and restoring Registry values.

Although McAfee AntiSpyware detected three infectors--Gator, Huntbar, and MyFastAccess--it removed only the latter two completely. SpySubtract Pro 2 was the weakest of all, detecting only one spyware sample: the widely known Gator dashbar.

We liked the real-time protection that Ad-aware Plus's Ad-watch component provided. In our tests, Ad-watch foiled every hijacker that tried to change our Internet preferences. (Note that the basic, free version of Ad-aware does not include the Ad-watch component.)

None of the scanners we tested even approached 100 percent detection and removal, but Spybot Search & Destroy and Lavasoft Ad-aware Plus were the most capable. In general, Ad-aware does a better job of spotting pure adware, while Spybot is more adept at detecting pure spyware. They are also about tied in other features: We found Ad-aware 6 Plus much easier to use, and it came with Ad-watch; but Spybot Search & Destroy demonstrated superior cleaning ability.

Subscribe to the Security Watch Newsletter

Comments