[unisog] Initial Observations of the Microsoft AntiSpyware Be ta1

Ben Compton Ben.Compton at sw.edu
Thu Jan 6 22:00:15 GMT 2005

While we're on the spyware removal tools topic I'm curious to know what you
folks use at your respective sites and how your success has been with
whatever product you're using.

Ben C.

> -----Original Message-----
> From: Brian Eckman [mailto:eckman at umn.edu] 
> Sent: Thursday, 06 January, 2005 4:01 PM
> To: UNIversity Security Operations Group
> Subject: [unisog] Initial Observations of the Microsoft 
> AntiSpyware Beta1
> Most of you have probably already heard that Microsoft 
> released a public 
> beta of their AntiSpyware product, developed by Giant 
> Software Company 
> (which Microsoft recently bought). Here is the URL for this beta:
> http://www.microsoft.com/athome/security/spyware/software/default.mspx
> I've just started playing with it (it just came out), and 
> have a few things 
> I thought I'd share.
> It created about 1400+ registry entries while installing. 
> Several of them 
> still refer to "GiantCompany". (Not a surprise - Symantec 
> still uses the 
> "Intel LANDesk" registry stuff for their Corporate Edition 
> AntiVirus, after 
> all....)
> It came with definition files dated January 4, 2005. I tried 
> to check for 
> updates, and it said there were none. Not surprising, except 
> running packet 
> capture software in the background revealed why - the URL at 
> giantcompany.com that it accessed in order to check for 
> updates returned a 
> 404 ("Not Found") error. Oops... :)
> Of course, the packet capture software I used to determine 
> this relies on 
> WinPCap. The AntiSpyware software flagged WinPCap. However, 
> it gave a good 
> explanation of why it flagged it, it called it a "low" risk 
> threat, and the 
> default action was to "ignore" it.
> Subsequent scans continued to flag WinPCap, even though I had chosen 
> "ignore" several times in the past. I then discovered there 
> is an option 
> called "ignore always". That option did appear to function as 
> I'd expect, 
> as a future scan did not flag it.
> Upon install, Microsoft AntiSpyware asks you if you want to 
> be a part of 
> "SpyNet". Microsoft is apparently trying to make you feel as 
> though you are 
> part of some spyware-busting community, while in reality, at 
> least at first 
> glance, it just appears to offer you an easy way to report spyware 
> infections to them via this software. However, when I tell it 
> to inform 
> this SpyNet, it tries to talk to an IP address over port 
> 80/tcp that is 
> apparently not currently listening on that port. So, the end 
> user feels 
> like they did a Good Thing by submitting this to them, when 
> in fact, the 
> submission went into the Bit Bucket without any notification 
> to the client.
> (Of course, this is Beta software, so perhaps the framework 
> for some of 
> this stuff isn't completed. It was still irritating to 
> discover this. I 
> would have prefered a notice that SpyNet couldn't be accessed 
> at this time, 
> with an option to try again at a later time. At least that way, my 
> "valuable contribution" to SpyNet wouldn't be lost forever.)
> So, I took a test machine and downloaded and ran a current, 
> really nasty 
> threat, with Microsoft AntiSpyware Beta1 running. The 
> AntiSpyware software 
> noticed that it tried to install CoolWebSearch (which it 
> called a "very 
> high" threat), and recommended that I block it. It also 
> noticed when two 
> unknown Browser Helper Objects (BHOs) tried to be installed 
> and let me 
> block those. It also notified me of something trying to put 
> itself in the 
> startup folder, and another thing trying to change my home page, and 
> another that installed a toolbar in IE, and allowed me to act 
> accordingly. 
> This all worked pretty well I must say. When I told it to 
> "remove" the 
> toolbar, it did. (Note: This was all done in real-time detection.) 
> Literally, IE with a evil toolbar installed did not have the 
> toolbar there 
> after closing it and opening it again.
> Unfortunately, it did not detect all of the spyware that this threat 
> installed, at least not in real time. It did later complain 
> when the (still 
> running) spyware attempted to install the BHOs again, and 
> when it tried to 
> change the IE start page again, so at least it was easy to 
> detect that it 
> missed something. And, each time that it had told me about 
> some Spyware 
> that got installed, it asked me to run a full scan, with a 
> Yes/No button to 
> start it right then. This is good, because many of the 
> spyware installers 
> install numerous different products.
> So, I ran a manual scan, and it found more stuff. It then 
> offered me to 
> report this to SpyNet. Again, it appeared to have worked, but 
> the packet 
> capture confirmed the remote IP address simply sending RST packets in 
> response to the report attempts...
> Ultimately, it (sort of) did not detect and remove all of the spyware 
> installed. After the manual scan, I later received more 
> warnings that an 
> Internet Explorer toolbar was prevented from being installed 
> (at least it 
> warned me in real time again!). I wasn't doing anything to 
> cause the alert, 
> so obviously, something evil remained. I tried a "full system 
> scan" (not 
> the default), and it did not find the anything that was still 
> running. 
> However, updated AntiVirus (SAVCE) software doing real-time 
> detection did 
> detect several things during this full system scan (because the evil 
> executables were being accessed by the AntiSpyware scan, so 
> they were all 
> scanned by AV as well), and the combination of the two did 
> seem to get rid 
> of the threat. I rebooted and did not see any further signs of 
> virus/spyware activity.
> I did not see a method of reviewing (at a later time) which 
> threats it 
> found via real-time scanning. I could only find a way to see 
> which threats 
> were found during previous manual scans.
> Some other features of the program are not complete yet. For 
> example, you 
> can click a link for more information about a threat, and it 
> replies that 
> "The requested information is not currently available".
> One other observation - this appears to be a RAM hog. Just 
> running in the 
> background seemed to take 16 MB of RAM. Launching the 
> application to do 
> things with it added to that significantly. (While running a 
> manual scan of 
> the hard drive, I observed about 40 MB of RAM in use in total by the 
> software's various components. This was one observation, and isn't 
> scientific at all. YMMV.)
> Another thing. It flags you each time you try to run a 
> "script file", such 
> as a batch file. You can tell it to allow it or block it, and 
> check a box 
> "remember this action". Checking that box seems to only 
> affect the specific 
> batch file in its specific location. Moving it or renaming it 
> and launching 
> it again will cause the prompt.
> I did not try to determine how easily this software could be 
> disabled by 
> malicious software. I suspect it would not be terribly 
> difficult, but don't 
> have any evidence to support my suspicion at this time.
> Overall it looks like it could become a solid product. It did 
> remove the 
> things it said it removed. It did a reasonable job of detecting 
> spyware-like activity that was being performed by mostly 
> unknown spyware. 
> I'd say it's certainly something to keep an eye on, if you 
> have enough RAM 
> to support it.
> Brian
> -- 
> Brian Eckman
> Security Analyst
> OIT Security and Assurance
> University of Minnesota
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

More information about the unisog mailing list