[unisog] Initial Observations of the Microsoft AntiSpyware Beta1

Brian Eckman eckman at umn.edu
Thu Jan 6 21:00:53 GMT 2005


Most of you have probably already heard that Microsoft released a public 
beta of their AntiSpyware product, developed by Giant Software Company 
(which Microsoft recently bought). Here is the URL for this beta:
http://www.microsoft.com/athome/security/spyware/software/default.mspx

I've just started playing with it (it just came out), and have a few things 
I thought I'd share.

It created about 1400+ registry entries while installing. Several of them 
still refer to "GiantCompany". (Not a surprise - Symantec still uses the 
"Intel LANDesk" registry stuff for their Corporate Edition AntiVirus, after 
all....)

It came with definition files dated January 4, 2005. I tried to check for 
updates, and it said there were none. Not surprising, except running packet 
capture software in the background revealed why - the URL at 
giantcompany.com that it accessed in order to check for updates returned a 
404 ("Not Found") error. Oops... :)

Of course, the packet capture software I used to determine this relies on 
WinPCap. The AntiSpyware software flagged WinPCap. However, it gave a good 
explanation of why it flagged it, it called it a "low" risk threat, and the 
default action was to "ignore" it.

Subsequent scans continued to flag WinPCap, even though I had chosen 
"ignore" several times in the past. I then discovered there is an option 
called "ignore always". That option did appear to function as I'd expect, 
as a future scan did not flag it.

Upon install, Microsoft AntiSpyware asks you if you want to be a part of 
"SpyNet". Microsoft is apparently trying to make you feel as though you are 
part of some spyware-busting community, while in reality, at least at first 
glance, it just appears to offer you an easy way to report spyware 
infections to them via this software. However, when I tell it to inform 
this SpyNet, it tries to talk to an IP address over port 80/tcp that is 
apparently not currently listening on that port. So, the end user feels 
like they did a Good Thing by submitting this to them, when in fact, the 
submission went into the Bit Bucket without any notification to the client.

(Of course, this is Beta software, so perhaps the framework for some of 
this stuff isn't completed. It was still irritating to discover this. I 
would have prefered a notice that SpyNet couldn't be accessed at this time, 
with an option to try again at a later time. At least that way, my 
"valuable contribution" to SpyNet wouldn't be lost forever.)

So, I took a test machine and downloaded and ran a current, really nasty 
threat, with Microsoft AntiSpyware Beta1 running. The AntiSpyware software 
noticed that it tried to install CoolWebSearch (which it called a "very 
high" threat), and recommended that I block it. It also noticed when two 
unknown Browser Helper Objects (BHOs) tried to be installed and let me 
block those. It also notified me of something trying to put itself in the 
startup folder, and another thing trying to change my home page, and 
another that installed a toolbar in IE, and allowed me to act accordingly. 
This all worked pretty well I must say. When I told it to "remove" the 
toolbar, it did. (Note: This was all done in real-time detection.) 
Literally, IE with a evil toolbar installed did not have the toolbar there 
after closing it and opening it again.

Unfortunately, it did not detect all of the spyware that this threat 
installed, at least not in real time. It did later complain when the (still 
running) spyware attempted to install the BHOs again, and when it tried to 
change the IE start page again, so at least it was easy to detect that it 
missed something. And, each time that it had told me about some Spyware 
that got installed, it asked me to run a full scan, with a Yes/No button to 
start it right then. This is good, because many of the spyware installers 
install numerous different products.

So, I ran a manual scan, and it found more stuff. It then offered me to 
report this to SpyNet. Again, it appeared to have worked, but the packet 
capture confirmed the remote IP address simply sending RST packets in 
response to the report attempts...

Ultimately, it (sort of) did not detect and remove all of the spyware 
installed. After the manual scan, I later received more warnings that an 
Internet Explorer toolbar was prevented from being installed (at least it 
warned me in real time again!). I wasn't doing anything to cause the alert, 
so obviously, something evil remained. I tried a "full system scan" (not 
the default), and it did not find the anything that was still running. 
However, updated AntiVirus (SAVCE) software doing real-time detection did 
detect several things during this full system scan (because the evil 
executables were being accessed by the AntiSpyware scan, so they were all 
scanned by AV as well), and the combination of the two did seem to get rid 
of the threat. I rebooted and did not see any further signs of 
virus/spyware activity.

I did not see a method of reviewing (at a later time) which threats it 
found via real-time scanning. I could only find a way to see which threats 
were found during previous manual scans.

Some other features of the program are not complete yet. For example, you 
can click a link for more information about a threat, and it replies that 
"The requested information is not currently available".

One other observation - this appears to be a RAM hog. Just running in the 
background seemed to take 16 MB of RAM. Launching the application to do 
things with it added to that significantly. (While running a manual scan of 
the hard drive, I observed about 40 MB of RAM in use in total by the 
software's various components. This was one observation, and isn't 
scientific at all. YMMV.)

Another thing. It flags you each time you try to run a "script file", such 
as a batch file. You can tell it to allow it or block it, and check a box 
"remember this action". Checking that box seems to only affect the specific 
batch file in its specific location. Moving it or renaming it and launching 
it again will cause the prompt.

I did not try to determine how easily this software could be disabled by 
malicious software. I suspect it would not be terribly difficult, but don't 
have any evidence to support my suspicion at this time.

Overall it looks like it could become a solid product. It did remove the 
things it said it removed. It did a reasonable job of detecting 
spyware-like activity that was being performed by mostly unknown spyware. 
I'd say it's certainly something to keep an eye on, if you have enough RAM 
to support it.

Brian

-- 
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota




More information about the unisog mailing list