[unisog] Initial Observations of the Microsoft AntiSpyware Beta1
eckman at umn.edu
Thu Jan 6 21:00:53 GMT 2005
Most of you have probably already heard that Microsoft released a public
beta of their AntiSpyware product, developed by Giant Software Company
(which Microsoft recently bought). Here is the URL for this beta:
I've just started playing with it (it just came out), and have a few things
I thought I'd share.
It created about 1400+ registry entries while installing. Several of them
still refer to "GiantCompany". (Not a surprise - Symantec still uses the
"Intel LANDesk" registry stuff for their Corporate Edition AntiVirus, after
It came with definition files dated January 4, 2005. I tried to check for
updates, and it said there were none. Not surprising, except running packet
capture software in the background revealed why - the URL at
giantcompany.com that it accessed in order to check for updates returned a
404 ("Not Found") error. Oops... :)
Of course, the packet capture software I used to determine this relies on
WinPCap. The AntiSpyware software flagged WinPCap. However, it gave a good
explanation of why it flagged it, it called it a "low" risk threat, and the
default action was to "ignore" it.
Subsequent scans continued to flag WinPCap, even though I had chosen
"ignore" several times in the past. I then discovered there is an option
called "ignore always". That option did appear to function as I'd expect,
as a future scan did not flag it.
Upon install, Microsoft AntiSpyware asks you if you want to be a part of
"SpyNet". Microsoft is apparently trying to make you feel as though you are
part of some spyware-busting community, while in reality, at least at first
glance, it just appears to offer you an easy way to report spyware
infections to them via this software. However, when I tell it to inform
this SpyNet, it tries to talk to an IP address over port 80/tcp that is
apparently not currently listening on that port. So, the end user feels
like they did a Good Thing by submitting this to them, when in fact, the
submission went into the Bit Bucket without any notification to the client.
(Of course, this is Beta software, so perhaps the framework for some of
this stuff isn't completed. It was still irritating to discover this. I
would have prefered a notice that SpyNet couldn't be accessed at this time,
with an option to try again at a later time. At least that way, my
"valuable contribution" to SpyNet wouldn't be lost forever.)
So, I took a test machine and downloaded and ran a current, really nasty
threat, with Microsoft AntiSpyware Beta1 running. The AntiSpyware software
noticed that it tried to install CoolWebSearch (which it called a "very
high" threat), and recommended that I block it. It also noticed when two
unknown Browser Helper Objects (BHOs) tried to be installed and let me
block those. It also notified me of something trying to put itself in the
startup folder, and another thing trying to change my home page, and
another that installed a toolbar in IE, and allowed me to act accordingly.
This all worked pretty well I must say. When I told it to "remove" the
toolbar, it did. (Note: This was all done in real-time detection.)
Literally, IE with a evil toolbar installed did not have the toolbar there
after closing it and opening it again.
Unfortunately, it did not detect all of the spyware that this threat
installed, at least not in real time. It did later complain when the (still
running) spyware attempted to install the BHOs again, and when it tried to
change the IE start page again, so at least it was easy to detect that it
missed something. And, each time that it had told me about some Spyware
that got installed, it asked me to run a full scan, with a Yes/No button to
start it right then. This is good, because many of the spyware installers
install numerous different products.
So, I ran a manual scan, and it found more stuff. It then offered me to
report this to SpyNet. Again, it appeared to have worked, but the packet
capture confirmed the remote IP address simply sending RST packets in
response to the report attempts...
Ultimately, it (sort of) did not detect and remove all of the spyware
installed. After the manual scan, I later received more warnings that an
Internet Explorer toolbar was prevented from being installed (at least it
warned me in real time again!). I wasn't doing anything to cause the alert,
so obviously, something evil remained. I tried a "full system scan" (not
the default), and it did not find the anything that was still running.
However, updated AntiVirus (SAVCE) software doing real-time detection did
detect several things during this full system scan (because the evil
executables were being accessed by the AntiSpyware scan, so they were all
scanned by AV as well), and the combination of the two did seem to get rid
of the threat. I rebooted and did not see any further signs of
I did not see a method of reviewing (at a later time) which threats it
found via real-time scanning. I could only find a way to see which threats
were found during previous manual scans.
Some other features of the program are not complete yet. For example, you
can click a link for more information about a threat, and it replies that
"The requested information is not currently available".
One other observation - this appears to be a RAM hog. Just running in the
background seemed to take 16 MB of RAM. Launching the application to do
things with it added to that significantly. (While running a manual scan of
the hard drive, I observed about 40 MB of RAM in use in total by the
software's various components. This was one observation, and isn't
scientific at all. YMMV.)
Another thing. It flags you each time you try to run a "script file", such
as a batch file. You can tell it to allow it or block it, and check a box
"remember this action". Checking that box seems to only affect the specific
batch file in its specific location. Moving it or renaming it and launching
it again will cause the prompt.
I did not try to determine how easily this software could be disabled by
malicious software. I suspect it would not be terribly difficult, but don't
have any evidence to support my suspicion at this time.
Overall it looks like it could become a solid product. It did remove the
things it said it removed. It did a reasonable job of detecting
spyware-like activity that was being performed by mostly unknown spyware.
I'd say it's certainly something to keep an eye on, if you have enough RAM
to support it.
OIT Security and Assurance
University of Minnesota
More information about the unisog