Best Defenders

Spyware is getting smarter. The newest threats are better than their predecessors from just a few months ago at hijacking your browser, watching your Web surfing, and stealing your data. Your current anti-spyware program may not be up to the challenge.

The good news is that spyware fighters are evolving, too. For this review we tested an array of updates and new products. Our test group included five paid stand-alone tools--McAfee AntiSpyware 2006, PC Tools' Spyware Doctor 3.2, Sunbelt Software's CounterSpy 1.029, Trend Micro's Anti-Spyware 3.0, and Webroot Software's Spy Sweeper 4.0; three all-in-one security suites--Panda Platinum Internet Security 2005, Symantec Norton Internet Security 2005 AntiSpyware Edition, and Zone Labs' ZoneAlarm Internet Security Suite 6.0; and three free products--Lavasoft's Ad-Aware SE Personal Edition 1.06, Microsoft's publicly available beta of Windows AntiSpyware (Beta 1.0.615), and Safer Networking's Spybot Search & Destroy 1.4. Though the suites cost more than stand-alone spyware apps, they come with antivirus, firewall, antispam, and privacy components (we didn't test these features).

While adware can be a major annoyance, spyware can be very dangerous, so we focused on the latter type of threat. Spyware not only installs itself surreptitiously in a system but can also download other unwanted applications without your consent. We collected dozens of spyware programs, including the latest versions of threats used in our last anti-spyware roundup (see "Spyware Stoppers,") as well as new malware. As a result, we can't precisely compare scores between the two reviews, though we can draw some conclusions.

In all, these spyware programs added 73 unwanted files to our test computer. With them, we challenged the anti-spyware tools' abilities to detect and clean up the components. Here is how the products fared.

See the Complete Special Report

The New Security War: In this Special Package
Best Defenders (Spy Sweeper Leads the Field--chart)
The Hidden Money Trail
Privacy in Peril
Is the Net Doomed?
Threat Alert: Spear Phishing
Threat Alert: Antivirus Killers
Threat Alert: Instant Messaging Attacks
10-Step Security
Security by the Numbers
More Security Resources on the Web

Also See Our In-Depth Online Series
Web of Crime

The Results: Our Favorites

Webroot's Spy Sweeper was the only program that removed an aggressive strain of the Look2Me spyware.
Webroot's Spy Sweeper was the only program that removed an aggressive strain of the Look2Me spyware.
Webroot's $30 Spy Sweeper 4.0 removed 90 percent of the spyware components--the highest score--which helped make it the Best Buy among the stand-alone applications. We recommend this product if you already have antivirus, antispam, and firewall software. Of the three all-in-one suites, we recommend Panda Software's $50 Platinum Internet Security 2005. Our pick as Best Buy among the suites, Panda scored the highest of the three in total spyware removal and second-highest among all products, removing 86 percent of the spyware components. Panda also removed spyware without forcing us to make case-by-case decisions.

Among the free products, no clear winner emerged. If you don't want to pay for a spyware fighter, we recommend running more than one free program to increase your protection.

The biggest improvement came from McAfee AntiSpyware 2006 ($30), which nabbed 79 percent of total spyware components in our tests. Last year's McAfee AntiSpyware 2005 removed only 22 percent of spyware tested. Both spyware and anti-spyware have changed since the previous tests, but this improvement is still noteworthy.

Symantec's Norton Internet Security suite recommended giving Internet access to a file created by the FXAgent Trojan.
Symantec's Norton Internet Security suite recommended giving Internet access to a file created by the FXAgent Trojan.
Symantec's suite also removed 79 percent of total tested spyware components; however, it made some poor recommendations. For example, it advised us to give Internet access to the FXAgent Trojan horse, a keylogger activated from an embedded e-mail link claiming to lead to a Symantec removal tool. When installed, the resulting dlhost.exe file, which subsequently tries to access the Internet, was added to the Windows system directory. Symantec says that it has since made available a software update for the suite that would recognize this Trojan horse and eliminate it upon first contact.

Microsoft's free antispyware tool exhibited middling spyware cleanup but good behavior-based prevention.
Microsoft's free antispyware tool exhibited middling spyware cleanup but good behavior-based prevention.
The biggest disappointment was Sunbelt Software's CounterSpy ($20), our former Best Buy. CounterSpy removed only 66 percent of total spyware components, down from 85 percent in our last review. Microsoft's free Windows AntiSpyware beta also removed only 66 percent of total spyware components. The similarity is not surprising, since the two products share technology from Giant Company Software, an anti-spyware firm that Microsoft acquired in December 2004.

For this story, we tested the commercially available CounterSpy 1.029; but in August's New Products review "Spyware Stoppers Still Improving", we took an initial look at a beta of CounterSpy 1.5. (We did not test noncommercially available betas in this review.) This delayed new version, which Sunbelt says employs a redesigned engine, achieved good results and should finally be ready in early October. The shifts in winners and losers between our two reviews--spaced only seven months apart--indicate the importance of keeping up-to-date on threats and solutions.

The Results: Cleaning up the Mess

One key measure of anti-spyware software is its ability to remove spyware processes running actively in memory; such processes represent a portion of the total spyware components mentioned above. Panda was the only program that removed 100 percent of the running processes. McAfee followed closely, erasing 96 percent. Spy Sweeper came in third, at 88 percent.

Some spyware components in our test group altered Internet Explorer's home page, search page, browser helper objects (BHOs) and toolbars, and Trusted Sites Zone. We tracked the anti-spyware products' ability to detect and reverse these unwanted changes.

Spy Sweeper did the best job of detection and cleanup, removing 100 percent of the BHOs and toolbars embedded in our test PC's browser, as well as reversing all of the browser start- and search-page changes. Panda and McAfee removed 100 percent of the BHOs and toolbars, but they failed to reverse any changes to browser start and search pages. Trend Micro and the ZoneAlarm suite also did not reverse start- and search-page changes, but they did remove 50 percent and 86 percent, respectively, of the BHOs and toolbars. Symantec reversed all page changes but removed just 79 percent of the BHOs and toolbars.

Besides removing all BHOs and toolbars, Webroot's Spy Sweeper was the only anti-spyware application to detect and remove a particularly nasty variant of Look2Me. This tenacious program hooks into the Windows Logon and tracks the Web sites you visit while also downloading additional spyware and adware.

Eye on Behavior

Panda's Platinum Internet Security lets you decide how to display alert messages for viruses and cookies.
Panda's Platinum Internet Security lets you decide how to display alert messages for viruses and cookies.
Many anti-spyware products try not only to clean up known spyware but also to prevent as-yet unidentified spyware from landing on your machine. To do this trick, they monitor areas of the system that malicious software targets, identify suspicious behavior, and stop it. To evaluate such behavior-based capabilities, we created an app to perform actions indicative of spyware and adware installations: adding Registry run keys, adding a file to the Windows startup folder, changing the browser start and search pages, and overwriting the Hosts file, the first place that Windows goes to look up Web addresses you want to access. Spyware can modify the Hosts file to redirect you to certain sites (like adware servers) or prevent access to others (like antivirus-company sites).

CounterSpy, McAfee, Spybot, Spy Sweeper, Spyware Doctor, Windows AntiSpyware, and the ZoneAlarm suite all offer some behavior-based protection. Spy Sweeper proved to be the most effective. For more details on how these features stacked up, click here.

While ZoneAlarm alerts are informative for those folks in the know, their presentation may confuse less-savvy users.
While ZoneAlarm alerts are informative for those folks in the know, their presentation may confuse less-savvy users.
When it came to ease of use, Panda's suite was top-notch, removing detected adware and spyware without relying on user input. You can also change the default settings to allow case-by-case decision-making. The ZoneAlarm suite displays many alerts that demand your response, which can be challenging if your knowledge of security isn't thorough.

The McAfee icon in the system tray launches the SecurityCenter, which doesn't include the AntiSpyware 2006 program.
The McAfee icon in the system tray launches the SecurityCenter, which doesn't include the AntiSpyware 2006 program.
We were also less than impressed with the McAfee interface. The icon that appears in Windows' system tray doesn't launch the anti-spyware scanner; instead it launches the McAfee SecurityCenter, which advertises other McAfee products but doesn't include McAfee AntiSpyware.

The Battle Continues

As we said, spyware keeps changing, and so do the tools that fight it. Around the time you read this, five vendors--Sunbelt, Symantec, Webroot, and Microsoft--plan to update their software. As new releases appear, we'll pit them against the newest and nastiest threats. Check PCWorld.com's Spyware and Security Info Center for ongoing coverage, including reviews, news, tips, and downloads.

The State of Spyware: Where the Battle's Headed

Spyware and adware burrow into your PC. Anti-spyware programs dig them out. A new round of spyware and adware burrows into your PC. New and updated anti-spyware programs dig them out. While the war against spyware seems deadlocked, there's hope that the good guys will win. We spoke with Gregor Freund, founder of Zone Labs and developer of the ZoneAlarm Internet Security Suite, to find out the latest strategies used by both sides and to learn how the future might play out.

PC World: What's the difference between adware and spyware?

Gregor Freund: Adware and spyware are both major threats to a consumer's PC, but the main difference lies in the intent. Spyware is used to pilfer personal information for criminal activities such as identity theft and financial scams, whereas Adware focuses on aggregating personal information to serve advertising content.

Spyware may be the more insidious threat, but adware can also create security and computing problems for consumers. Often, a user has not consciously consented to the profiteering resulting from their personal information. The notification of the program's intent may be hidden deep in a lengthy EULA [End User License Agreement]. Adware can create a logjam [in users'] computing resources, resulting in significantly decreased performance of their systems. And since adware can be uninstalled without the user's knowledge, there typically is no support or upgrades issued. If a user installs new software that conflicts with the adware, a user may not even know the cause of the problem. And adware can have its own security holes, allowing a hacker to gain access to a PC though the program.

That being said, we recognize that some programs that behave as adware may offer a legitimate benefit to a consumer, and they may have intentionally installed the program. We evaluate each software program as appropriate (and upon request), and make our security decisions based upon our findings.

PCW: What are the latest tricks that spyware creators are using?

Freund: Spyware has changed drastically over the last few years. We're talking about both legal and illegal players. They're starting to use a wide variety of tricks that are traditionally more associated with malicious viruses, things like rootkits that put spyware directly in the kernel [of the OS]. This approach is geared not only for getting onto people's machines but staying stuck onto people's machines. Anti-spyware software traditionally would scan your system every day or so and would remove what it found on your machine. [Now] once a piece of spyware has been established on your machine it becomes extremely hard to removea?|Spyware creators are modifying executables rapidly. We see instances where they're being updated ten times a day.

PCW: What are the latest technologies and techniques that you, and other antispyware vendors, are using to fight back?

Freund: They key to success in fighting spyware is prevention--not just removal. We have a whole list of behaviors that we consider dangerous. If we see an unknown application and an unknown component, we watch its behavior. Many pieces of spyware monitor what URLs you are going to. We've added what's called an "OS firewall" that monitors that kind of behavior. When we find suspicious behavior, we check with our database. "Do we know these guys?" We then ask the user: "Are you aware of this application?" It catches spyware before it has a chance of establishing itself.

PCW: Who are the biggest culprits?

Freund: There's a very, very strong criminal element creating spyware, but there's a legal element creating adware, which is also pretty daunting. These companies are extremely profitable. They're making millions of dollars of revenue. That's a much, much more formidable enemy than a bunch of people that build a virus in a back room.

PCW: What are the similarities and differences between fighting spyware and fighting viruses?

Freund: I know I'm going to eat my words, but by and large, viruses are relatively harmless because there was no other motivation besides hacking for glory. There have been very destructive viruses, but not that many. If you're writing viruses, you're trying to create as much noise as you can, because you're trying to get your name out there. If you're writing spyware, you're trying to be as quiet as possible. You're trying to slide in under the radar. You see a lot of smaller attacks, but a lot more of them, and a lot more targeted attacks. If you have thousands of smaller attacks, it makes it trickier to stop them.

PCW: Do anti-spyware vendors work together the way antivirus vendors do?

Freund: All of the vendors work together already. Security researchers all exchange samples and technologies. I dona??t think there's a lack of coordination between the vendors. We're all trying to build the best possible product.

PCW: Do anti-spyware vendors use the same nomenclature that antivirus companies do?

Freund: We see the spyware vendors making minor changes to their software very, very often to avoid detection. In our virus database, we used to have a lot of polymorphic viruses. That has kind of died out. The spyware [developer community], is picking up on a lot of these tricks. When the thing changes every hour or so, it's hard to agree on a name. In many cases, we dona??t care what it's called, we just stop it. One of the issues we run into is [a] gray zone: [spyware or adware that] has some useful features but also carries this whole payload that's designed to steal your data.

PCW: Some well-known companies are affiliated with companies distributing if not spyware at least adware. How responsible are they?

Freund: A long list of very reputable companies [is] actually using adware and spyware as an advertising medium. One of the things I would love to see is that large-budget advertisers stop using that as a medium. I think that advertising approach is irresponsible. There are enough legitimate ways on the Internet to use your ad dollars [that] you dona??t have to use these forums. It does fuel significantly the industrya?| I wish there were a code of conduct for adware that we just don't support [it] even though it might not be illegal.

PCW: What's the future of the fight against spyware?

Freund: You have to really differentiate between the legal side and the illegal side. The legal side, through a combination of [business community] consensus and defense mechanisms, will go away. There are just better ways of making a living than tracking unsuspecting users and hiding things in fine print. I find it a very appalling business model.

On the illegal side, we'll find many more [players]. Frankly, as more and more of the economy is accessible over the Internet, you will see more and more resources shift to online white-collar crime. Trojan horses, spyware, and other malicious code will be the primary means of attack. There are offshore companies spying on each other using Trojan horses and spying on journalists covering them. There will be a lot more attacks but they will be less visible. You'll see fewer headlines but more insidious danger.

So long as you see a big headline, people get their defenses up. As it becomes more and more of a daily crime in thousands of smaller cases, journalists are going to take their eyes off it. I think we have to do a lot more to promote public awareness.

Test Report: Spy Sweeper Leads the Field in Spyware Cleanup (chart)

PC World challenged 11 anti-spyware programs--five paid stand-alone apps, three free stand-alone ones, and three internet security suites--to clean up 73 components spawned by major spyware programs. Webroot came in first, eliminating 90 percent of these components. Panda came in second among all the apps but first among the three suites, removing 86 percent of the components.

Spyware components removed Actively running processes removed Changes to start and search pages reversed BHOs and toolbars removed Registry run keys and start up links removed Windows services removed
Paid Stand-Alone Program Number Found Percentage Found Number Found Percentage Found Number Found Percentage Found Number Found Percentage Found Number Found Percentage Found Number Found Percentage Found Comments
Best Buy
Webroot Software Spy Sweeper 4.0
$30
66 90% 23 88% 5 100% 14 100% 21 88% 3 100% Had the highest overall spyware removal among stand-alone apps; it eliminated tough Look2Me variant.
McAfee AntiSpyware 2006
$30
58 79% 25 96% 0 0% 14 100% 19 79% 0 0% Cleanup was significantly improved over previous version, but program can't launch from the system tray.
PC Tools Spyware Doctor 3.2
$30
45 62% 16 62% 4 80% 10 71% 14 58% 1 33% This middling performer did not excel in any area aside from BHO and toolbar removal.
Sunbelt Software CounterSpy 1.029
$20
48 66% 17 65% 1 20% 13 93% 15 63% 2 67% This former Best Buy exhibited weak cleanup; a version with a revamped engine is due out soon.
Trend Micro Anti-Spyware 3.0
$30
42 58% 22 85% 0 0% 7 50% 12 50% 1 33% Showed poor performance in removing toolbars and other browser-based changes installed by spyware.
Free Stand-Alone Program
Microsoft Windows AntiSpyware Beta 1.0.615
Free
48 66% 16 62% 3 60% 11 79% 18 75% 0 0% Scored the highest of the free apps in spyware; offers comprehensive behavior-based prevention.
Lavasoft Ad-Aware SE Personal Edition 1.06
Free
47 64% 17 65% 4 80% 9 64% 14 58% 2 67% The free version of this program lacks real-time prevention but has a well-designed interface.
Safer Networking Spybot Search & Destroy 1.4
Free
40 55% 13 50% 1 20% 10 71% 15 63% 1 33% Its behavior-based spyware prevention was strong, but it also had the lowest spyware-cleanup score.
Internet Security Suite
Best Buy
Panda Platinum Internet Security 2005
$50
63 86% 26 100% 0 0% 14 100% 21 88% 2 67% Easy-to-use product was top-notch in removing spyware, but it didn't reverse browser page changes.
Symantec Norton Internet Security 2005 Anti-Spyware Edition
$80
58 79% 22 85% 5 100% 11 79% 18 75% 2 67% This suite ranked third in overall spyware removal, but it missed one infection of new spyware.
Zone Labs Internet Security Suite 6.0
$70
54 74% 22 85% 0 0% 12 86% 19 79% 1 33% Zone Labs' permission-based alerts are far better for experienced users than for the less savvy.
CHART NOTES: Street prices are as of 8/19/05. Star ratings based on spyware component removal, real-time spyware prevention, and ease of use.

How We Test: We performed testing on a 2.93-GHz Pentium 4 Acer Power FV computer running Windows XP Professional, Service Pack 1. (We used this version of Windows instead of Windows XP Professional, Service Pack 2, because the latter impacted the speed of our tests without making any changes to the protection offered by the anti-spyware products tested.) We collected dozens of spyware programs for our tests. These programs created 73 key components in our tests. The spyware components break down into processes that run actively in memory, modify Internet Explorer search and home pages, add toolbars and browser helper objects (BHOs), and alter Registry run keys and Windows services. We challenged the anti-spyware applications' ability to detect the components and processes and clean them up.

To get an idea of how well the anti-spyware programs deal with new and unknown spyware attacks, we also checked to see how they would deal with spyware-like behavior. We created an application to perform several actions typical of spyware and adware installations, including adding Registry run keys, dropping a file in the Windows startup folder, changing the browser start and search pages, and overwriting the Hosts file. We checked each anti-spyware application's ability to detect and block these activities.

Preventing Unidentified Spyware from Installing Isn't Easy (chart)

Some programs not only clean up known forms of spyware but also prevent as yet unidentified threats from reaching your system. They do this by monitoring certain areas of your system for suspicious activities. We created an application to perform several actions typical of spyware and adware installations, including adding Registry run keys, dropping a file in the Windows startup folder, changing the browser start and search pages, and overwriting the Hosts file. Here's how well the anti-spyware programs we tested detected these behaviors.

Paid Stand-Alone Programs Prevents changes to Registry run keys Prevents additions to startup folder Prevents changes to current home and start pages Prevents changes to default start and search pages Prevents overwriting of the HOSTS file Alerts and/or blocks Messenger Service
Webroot Software Spy Sweeper 4.0
$30
Yes Yes Yes No 1 Yes
McAfee AntiSpyware 2006
$30
No No No No No No
PC Tools Spyware Doctor 3.2
$30
No No No No No No
Sunbelt Software CounterSpy 1.029
$20
Yes No Yes Yes 2 Yes
Trend Micro Anti-Spyware 3.0
$30
No No No No No No
Free Stand-Alone Programs
Microsoft Windows AntiSpyware Beta 1.0.615
Free
Yes No Yes Yes 2 Yes
Lavasoft Ad-Aware SE Personal Edition 1.06
Free
No No No No No No
Safer Networking Spybot Search & Destroy 1.4
Free
3 No Yes Yes Yes No
Internet Security Suites
Panda Platinum Internet Security 2005
$50
No No No No No No
Symantec Norton Internet Security 2005 Anti-Spyware Edition
$80
No No No No No No
Zone Labs Internet Security Suite 6.0
$70
Yes No No No No No
FOOTNOTES:
1 Spy Sweeper continually reported a read error when encountering a Hosts file that had been altered, allowing the modifications to occur without intervention from Spy Sweeper.
2 Microsoft Windows AntiSpyware and Counter Spy alerted only on the last line involved in a Hosts file overwrite. For example, if the Hosts file is overwritten with another Hosts file containing eight redirects, only the eighth redirect on the list would be alerted on and blocked.
3 Spybot produced a misaligned dialog box, which prevented the user from allowing changes resulting from legitimate software installs. Safer Networking says that it will fix this bug with an upcoming software update.

How We Test: We performed testing on a 2.93-GHz Pentium 4 Acer Power FV computer running Windows XP Professional, Service Pack 1. (We used this version of Windows instead of Windows XP Professional, Service Pack 2, because the latter impacted the speed of our tests without making any changes to the protection offered by the anti-spyware products tested.) We collected dozens of spyware programs for our tests. These programs created 73 key components in our tests. The spyware components break down into processes that run actively in memory, modify Internet Explorer search and home pages, add toolbars and browser helper objects (BHOs), and alter Registry run keys and Windows services. We challenged the anti-spyware applications' ability to detect the components and processes and clean them up.

To get an idea of how well the anti-spyware programs deal with new and unknown spyware attacks, we also checked to see how they would deal with spyware-like behavior. We created an application to perform several actions typical of spyware and adware installations, including adding Registry run keys, dropping a file in the Windows startup folder, changing the browser start and search pages, and overwriting the Hosts file. We checked each anti-spyware application's ability to detect and block these activities.

See the Complete Special Report

The New Security War: In this Special Package
Best Defenders and Spy Sweeper Leads the Field (chart)
The Hidden Money Trail
Privacy in Peril
Is the Net Doomed?
Threat Alert: Spear Phishing
Threat Alert: Antivirus Killers
Threat Alert: Instant Messaging Attacks
10-Step Security
Security by the Numbers
More Security Resources on the Web

Also See Our In-Depth Online Series
Web of Crime

Mary Landesman researches spyware and viruses. She is About.com's antivirus guide.

Subscribe to the Security Watch Newsletter

Comments