8th-round Antispyware Comparison Report !!

[Guest]

Eighth Round Antispyware Comparison Report (July 18, 2006):

Cleanup Success Rate for Entry-based Viewpoint:

‧Trend Micro Anti-Spyware: 79.62%
‧Webroot Spy Sweeper: 61.15%
‧PC Tools Spyware Doctor: 57.96%
‧Sunbelt CounterSpy: 55.41%
‧Norton Internet Security: 52.23%
‧McAfee antispyware: 45.86%
‧Computer Associate Anti-Spyware: 41.40%
‧Panda Platinum Internet Security: 28.66%
‧ewido anti-malware: 28.66%
‧Microsoft Windows Defender: 24.84%
‧Lavasoft Ad-Aware: 14.65%
‧Spybot S&D: 12.74%
‧Aluria Anti-Spyware: 2.50%

For detailed information, please go to
http://www.malware-test.com/test_reports.html (Malware-Test Lab).

Note that due to cleanup success rate depends on spyware samples, so we hope
you can help collect top 100 spyware list and post it to Forum. Thanks.

 

[Guest]

What exactly are your test criteria that everyone's applications test so
poorly?

Are tests focused on "cookie hysteria"? Of course, THAT might explain the
poor scores. Just curious.

Incidentally, new rootkit detection, removal, and monitoring tool links have
been added to the Internet Security page in my sig.

 

[Guest]

Cleanup Success Rate for Entry-based Viewpoint:

‧ewido anti-malware: 28.66%
‧Microsoft Windows Defender: 24.84%
‧Lavasoft Ad-Aware: 14.65%
‧Spybot S&D: 12.74%

If we take these figures at face value, then I'd have to conclude:
1. The millions of people continuing to use Adaware and Spybot are wasting
their time (it can't be a cookie issue because they both detect them)
2. My recent visit to the ewido online scanner was probably pointless
3. Defender is making very little impact despite all this effort.

It looks like a battle completely lost. Or have the figures been biased in
some way?

 

[plun]

Hi Alan

It obvious if we all looks around within all cleaning forums....
Adaware and Spybot is nearly worthless nowadays and WD also.

Test details:
http://malware-test.com/smf/index.p...7c4bc35824&action=dlattach;topic=1497.0;id=20
Downloads a Zip file including a pdf documet.
or

http://malware-test.com/smf/index.php?PHPSESSID=fc71fae8fc1ce6dd67b9cf7c4bc35824&topic=1497.0
(download at bottom)

I cannot comment if these infests are a representative test volume but
nevertheless for example TMAS detects nearly all of them.....

So this IS a challenge but maybe these threats only is represenative
for
a user which frequently visits Internets backyard.... ???

So it is high time to "loudly" inform users about risky sites. IMHO.
"Mission impossible" to protect a "risky user".

regards
plun

 

[Guest]

That is why I said the antispyware cleanup comparison test report depends on
spyware samples. So far we don't know how many spywares in the wild. In order
to provide more accurate test report, we try to collect top 100 spyware list
and we hope you can help update/collect this list too.

For the detailed test report, you can go to web site and download the test
report.

 

[Guest]

In the past test, no one antispyware software is perfect. You need to know
your enemies, otherwise you will get hurt. By the way, I don't know why
Windows Defender's cleanup rate is so low, perhaps it depends on spyware
samples, they don't have these spyware samples.

 

[Guest]

In this round, TMAS gots No. 1, but it doesn't mean it will get No. 1 next
time. In cleanup comparison, how to select spyware samples are so important,
that is why we need to collect top 100 spyware list.

 

[plun]

Hi Samplas

Well.... your result can easily be confirmed in every major cleaning
forum within our world. I cannot say if choosen infests is
a representative volume.

Nevertheless all major security vendor knows about this, they knows
nearly all sites which spreads this junk.

Perhaps the security business wants "Status Que" between the bad guys
and victims. I can easily use Google with the "signature search" and
see thousends of these infests and also easily check a blocklist from
mvps or others.

The only really good tactic I knows today is to inform users about
risks. Showing them "ugly" banners and "dirty sites", "dirty
applications", dirty ActiveX and so on. Show them "Social Engineering"
tricks and so on

I personally also likes AV comparatives test:
http://www.av-comparatives.org/ > Online results.

regards
plun

 

[Guest]

Alan,

You are asking the 'Holy Grail' question in the Spyware world today. As
you've seen from the other answers in this and other threads, there is no
simple single answer.

You'll note that Samplas has indicated in his other posts that they don't
have a truly representative set of malware to test and in fact don't even
know what it should be. I actually give him credit for making this statement
since it at least shows that he understands the difficulties of ever managing
to perform tests that will result in useful information, let alone are truly
'accurate'.

To understand the problem better, see 'The Spyware Warrior Guide to
Anti-Spyware Testing by Eric L. Howes'. Eric is a highly respected member of
the anti-malware community and is well known for his 'Rouge/Suspect
Anti-Spyware Products' and IESpyAds lists, among others. Among his
conclusions the following is probably the most important, and why many here
have told you repeatedly that turning off Real-time protection makes it
pointless.

"Prevention is always preferable to scanning and removal, and users should
securely configure their PCs and install anti-malware protection to prevent
the installation of spyware and adware in the first place."
http://spywarewarrior.com/asw-test-guide.htm#conclusions

You'll note that everyone in this thread has made one or more of the same
points included in Eric's conclusions, probably because most have read it or
learned from someone who has. They're very like the 'Top Ten list of
[Anti-]Spyware'.

This is the key, which is what Defender was designed to do, not simply clean
up after the fact. It's actually not as good at clean-up as some others, but
combined with IE 7 and a good anti-virus will stop or warn of most attacks
before they can become installed. Samplas' tests assume the malware are
already installed, so that assumption explicitly denies the ability to block
the installation in the first place, which is the strength of many current
anti-malware applications.

Also, note that Eric never attempted another set of tests, likely because as
he indicated the tests themselves have limitations.
http://spywarewarrior.com/asw-test-guide.htm#disclaimers

Bitman

 

[plun]

Hi

Well, I can only see what I see within
all cleaning forums today including forums within my own country.

I do know Eric L Howes excellent work with Spywarewarrior and also
about his work at Sunbelt Software. After his Spywarewarrior period I
can see a dramatically changed situation from stupid commercial vendors
hijack to real "bad guys" hijacks.

Maybe if all users read Sunbelts blog there where no victims....

It IS impossible to protect users today and ALL users must learn about
"risky sites"....

This is a challenge beacuse of all Security Vendors and also a big
community around this mess...

Websense showed how to perform a Google search with a special syntax
and
it´s rather funny to see all junk... !

I can say that Adaware, Spybot and WD is useless for users frequently
visting risky sites ie prOn, gambling, warez, p2p, hackz, serialz.

Thats it....! And users MUST learn that !

So I believe that the test result is OK....

regards
plun

Alan,

You are asking the 'Holy Grail' question in the Spyware world today. As
you've seen from the other answers in this and other threads, there is no
simple single answer.

You'll note that Samplas has indicated in his other posts that they don't
have a truly representative set of malware to test and in fact don't even
know what it should be. I actually give him credit for making this statement
since it at least shows that he understands the difficulties of ever managing
to perform tests that will result in useful information, let alone are truly
'accurate'.

To understand the problem better, see 'The Spyware Warrior Guide to
Anti-Spyware Testing by Eric L. Howes'. Eric is a highly respected member of
the anti-malware community and is well known for his 'Rouge/Suspect
Anti-Spyware Products' and IESpyAds lists, among others. Among his
conclusions the following is probably the most important, and why many here
have told you repeatedly that turning off Real-time protection makes it
pointless.

"Prevention is always preferable to scanning and removal, and users should
securely configure their PCs and install anti-malware protection to prevent
the installation of spyware and adware in the first place."
http://spywarewarrior.com/asw-test-guide.htm#conclusions

You'll note that everyone in this thread has made one or more of the same
points included in Eric's conclusions, probably because most have read it or
learned from someone who has. They're very like the 'Top Ten list of
[Anti-]Spyware'.

This is the key, which is what Defender was designed to do, not simply clean
up after the fact. It's actually not as good at clean-up as some others, but
combined with IE 7 and a good anti-virus will stop or warn of most attacks
before they can become installed. Samplas' tests assume the malware are
already installed, so that assumption explicitly denies the ability to block
the installation in the first place, which is the strength of many current
anti-malware applications.

Also, note that Eric never attempted another set of tests, likely because as
he indicated the tests themselves have limitations.
http://spywarewarrior.com/asw-test-guide.htm#disclaimers

Bitman

If we take these figures at face value, then I'd have to conclude:
1. The millions of people continuing to use Adaware and Spybot are wasting
their time (it can't be a cookie issue because they both detect them)
2. My recent visit to the ewido online scanner was probably pointless
3. Defender is making very little impact despite all this effort.

It looks like a battle completely lost. Or have the figures been biased in
some way?

 

[Guest]

Plun,

You're missing an important point, most users will never understand these
things by themselves. It's nice to believe you can educate everyone to the
level of understanding required, but it's fairly obvious it will never happen.

What is required instead is that the Real-time protection of both browser's
(Phishing, Add-ons) and antimalware (Processes, Registry changes, etc) must
become more informative and easier to understand so the user can learn 'on
the fly' as the issue presents itself. Most people don't wish to take time to
learn, so where the decision can't be made automatically for them, they need
the best information possible in the fewest words to help them make the best
decision.

This is the direction that Defender has taken, though to some extent I think
it's one of the few important things that Microsoft AntiSpyware Beta 1
(Giant) did better. The clarity of the colors and simple explanations of it's
pop-ups was more helpful than the terse and technical format of the WD
ballons and dialogs.

Technically, Defender is a much better written application for protection of
the system and it's own self-preservation. From a user standpoint, however,
it lacks some of the simplicity of use and presentation of information to the
user, which are more important when the user must be involved in the final
decision of an action to take.

With the proper combination of current Windows Updates, strong high-security
configuration of Internet Explorer, and properly configured Windows Defender
and anti-virus, I can wander through whatever malware delivery sites I wish
and not 'catch' anything. I wouldn't recommend it, since new exploits are
found regularly, but the issue is less understanding then application of that
knowledge. This is the direction that Vista is taking, by forcing or warning
heavily of any mis-configuration or risks, both internal and external.

Bitman

Hi

Well, I can only see what I see within
all cleaning forums today including forums within my own country.

I do know Eric L Howes excellent work with Spywarewarrior and also
about his work at Sunbelt Software. After his Spywarewarrior period I
can see a dramatically changed situation from stupid commercial vendors
hijack to real "bad guys" hijacks.

Maybe if all users read Sunbelts blog there where no victims....

It IS impossible to protect users today and ALL users must learn about
"risky sites"....

This is a challenge beacuse of all Security Vendors and also a big
community around this mess...

Websense showed how to perform a Google search with a special syntax
and
it´s rather funny to see all junk... !

I can say that Adaware, Spybot and WD is useless for users frequently
visting risky sites ie prOn, gambling, warez, p2p, hackz, serialz.

Thats it....! And users MUST learn that !

So I believe that the test result is OK....

regards
plun

Alan,

You are asking the 'Holy Grail' question in the Spyware world today. As
you've seen from the other answers in this and other threads, there is no
simple single answer.

You'll note that Samplas has indicated in his other posts that they don't
have a truly representative set of malware to test and in fact don't even
know what it should be. I actually give him credit for making this statement
since it at least shows that he understands the difficulties of ever managing
to perform tests that will result in useful information, let alone are truly
'accurate'.

To understand the problem better, see 'The Spyware Warrior Guide to
Anti-Spyware Testing by Eric L. Howes'. Eric is a highly respected member of
the anti-malware community and is well known for his 'Rouge/Suspect
Anti-Spyware Products' and IESpyAds lists, among others. Among his
conclusions the following is probably the most important, and why many here
have told you repeatedly that turning off Real-time protection makes it
pointless.

"Prevention is always preferable to scanning and removal, and users should
securely configure their PCs and install anti-malware protection to prevent
the installation of spyware and adware in the first place."
http://spywarewarrior.com/asw-test-guide.htm#conclusions

You'll note that everyone in this thread has made one or more of the same
points included in Eric's conclusions, probably because most have read it or
learned from someone who has. They're very like the 'Top Ten list of
[Anti-]Spyware'.

This is the key, which is what Defender was designed to do, not simply clean
up after the fact. It's actually not as good at clean-up as some others, but
combined with IE 7 and a good anti-virus will stop or warn of most attacks
before they can become installed. Samplas' tests assume the malware are
already installed, so that assumption explicitly denies the ability to block
the installation in the first place, which is the strength of many current
anti-malware applications.

Also, note that Eric never attempted another set of tests, likely because as
he indicated the tests themselves have limitations.
http://spywarewarrior.com/asw-test-guide.htm#disclaimers

Bitman

:

Cleanup Success Rate for Entry-based Viewpoint:
‧ewido anti-malware: 28.66%
‧Microsoft Windows Defender: 24.84%
‧Lavasoft Ad-Aware: 14.65%
‧Spybot S&D: 12.74%

If we take these figures at face value, then I'd have to conclude:
1. The millions of people continuing to use Adaware and Spybot are wasting
their time (it can't be a cookie issue because they both detect them)
2. My recent visit to the ewido online scanner was probably pointless
3. Defender is making very little impact despite all this effort.

It looks like a battle completely lost. Or have the figures been biased in
some way?

 

[Guest]

So it would appear that we are all in agreement ... more or less. It can be
boiled down to the old saw regarding "Lies, damned lies, and statistics" with
a pinch of "garbage in, garbage out" thrown in for god measure.

This is one reason that I don't give much credence to anti-"spyware"
scanners that home in on cookies (generally benign) to elevate their threat
counts.

I see an advantage in maintaining a dynamic repository/archive of malware
signatures -- which may be one of the ulterior motives of Microsoft SpyNet.

I hold Prevx1 in high regard for their efforts along these lines (and
because it is cheap), but there certainly are other anti-threat tools and
intrusion prevention apps that are tackling the problem of zero-day attacks.

Clearly there isn't a product out there that comes close to thwarting every
possible compromise ... YET! BUt several companies are on the right track.

--
Scott D

Internet Security: http://SecorConsulting.net/pages/security.html
CIS Benchmark: http://SecorConsulting.net/pages/benchmark.html

Alan,

You are asking the 'Holy Grail' question in the Spyware world today. As
you've seen from the other answers in this and other threads, there is no
simple single answer.

You'll note that Samplas has indicated in his other posts that they don't
have a truly representative set of malware to test and in fact don't even
know what it should be. I actually give him credit for making this statement
since it at least shows that he understands the difficulties of ever managing
to perform tests that will result in useful information, let alone are truly
'accurate'.

To understand the problem better, see 'The Spyware Warrior Guide to
Anti-Spyware Testing by Eric L. Howes'. Eric is a highly respected member of
the anti-malware community and is well known for his 'Rouge/Suspect
Anti-Spyware Products' and IESpyAds lists, among others. Among his
conclusions the following is probably the most important, and why many here
have told you repeatedly that turning off Real-time protection makes it
pointless.

"Prevention is always preferable to scanning and removal, and users should
securely configure their PCs and install anti-malware protection to prevent
the installation of spyware and adware in the first place."
http://spywarewarrior.com/asw-test-guide.htm#conclusions

You'll note that everyone in this thread has made one or more of the same
points included in Eric's conclusions, probably because most have read it or
learned from someone who has. They're very like the 'Top Ten list of
[Anti-]Spyware'.

This is the key, which is what Defender was designed to do, not simply clean
up after the fact. It's actually not as good at clean-up as some others, but
combined with IE 7 and a good anti-virus will stop or warn of most attacks
before they can become installed. Samplas' tests assume the malware are
already installed, so that assumption explicitly denies the ability to block
the installation in the first place, which is the strength of many current
anti-malware applications.

Also, note that Eric never attempted another set of tests, likely because as
he indicated the tests themselves have limitations.
http://spywarewarrior.com/asw-test-guide.htm#disclaimers

Bitman

If we take these figures at face value, then I'd have to conclude:
1. The millions of people continuing to use Adaware and Spybot are wasting
their time (it can't be a cookie issue because they both detect them)
2. My recent visit to the ewido online scanner was probably pointless
3. Defender is making very little impact despite all this effort.

It looks like a battle completely lost. Or have the figures been biased in
some way?

 

[plun]

Hi

Users understands it if they sees that prOn sites is spreading malware.
Gambling sites also, if you download or use a serial or crack it is
often prepared with the bad guys stuff.

Show users banners with for example Errorsafe/Winfixer, Aha they say.

Siteadvisor is also really good to learn users, Aha again

http://www.siteadvisor.com/

If you also clicks on every file with MSN Messenger and opens mail
attachments you are often a big looser....

I have tested this within a swedish forum and IT IS a BIG, Aha !

-------------------------------------------------------------------
But.... !

Maybe it´s better that MS opens the curtain and shows us TPM, Intel
shows us La Grande and IBM shows us Blue chip. Opens up Windows Vistas
secret with software control with a chip or a USB stick.

And the Trusted Computing Group shows us how they can control every bit
and byte with security chips.

Windows Vista with todays configuration and UAC is a big joke....IMHO.
The bad guys can easily plant a rootkit but with a TPM chip WITH
security checks it is real security.

Done ! Thats it.... Slaves to MS and TCG and all mega company....

Or maybe this is the solution...?! Remove Security Vendors market and
no need for a cleaning community.

And no "market" for p2p file sharing...

regards
plun

Plun,

You're missing an important point, most users will never understand these
things by themselves. It's nice to believe you can educate everyone to the
level of understanding required, but it's fairly obvious it will never
happen.

What is required instead is that the Real-time protection of both browser's
(Phishing, Add-ons) and antimalware (Processes, Registry changes, etc) must
become more informative and easier to understand so the user can learn 'on
the fly' as the issue presents itself. Most people don't wish to take time to
learn, so where the decision can't be made automatically for them, they need
the best information possible in the fewest words to help them make the best
decision.

This is the direction that Defender has taken, though to some extent I think
it's one of the few important things that Microsoft AntiSpyware Beta 1
(Giant) did better. The clarity of the colors and simple explanations of it's
pop-ups was more helpful than the terse and technical format of the WD
ballons and dialogs.

Technically, Defender is a much better written application for protection of
the system and it's own self-preservation. From a user standpoint, however,
it lacks some of the simplicity of use and presentation of information to the
user, which are more important when the user must be involved in the final
decision of an action to take.

With the proper combination of current Windows Updates, strong high-security
configuration of Internet Explorer, and properly configured Windows Defender
and anti-virus, I can wander through whatever malware delivery sites I wish
and not 'catch' anything. I wouldn't recommend it, since new exploits are
found regularly, but the issue is less understanding then application of that
knowledge. This is the direction that Vista is taking, by forcing or warning
heavily of any mis-configuration or risks, both internal and external.

Bitman

Hi

Well, I can only see what I see within
all cleaning forums today including forums within my own country.

I do know Eric L Howes excellent work with Spywarewarrior and also
about his work at Sunbelt Software. After his Spywarewarrior period I
can see a dramatically changed situation from stupid commercial vendors
hijack to real "bad guys" hijacks.

Maybe if all users read Sunbelts blog there where no victims....

It IS impossible to protect users today and ALL users must learn about
"risky sites"....

This is a challenge beacuse of all Security Vendors and also a big
community around this mess...

Websense showed how to perform a Google search with a special syntax
and
it´s rather funny to see all junk... !

I can say that Adaware, Spybot and WD is useless for users frequently
visting risky sites ie prOn, gambling, warez, p2p, hackz, serialz.

Thats it....! And users MUST learn that !

So I believe that the test result is OK....

regards
plun

Alan,

You are asking the 'Holy Grail' question in the Spyware world today. As
you've seen from the other answers in this and other threads, there is no
simple single answer.

You'll note that Samplas has indicated in his other posts that they don't
have a truly representative set of malware to test and in fact don't even
know what it should be. I actually give him credit for making this
statement since it at least shows that he understands the difficulties of
ever managing to perform tests that will result in useful information, let
alone are truly 'accurate'.

To understand the problem better, see 'The Spyware Warrior Guide to
Anti-Spyware Testing by Eric L. Howes'. Eric is a highly respected member
of the anti-malware community and is well known for his 'Rouge/Suspect
Anti-Spyware Products' and IESpyAds lists, among others. Among his
conclusions the following is probably the most important, and why many here
have told you repeatedly that turning off Real-time protection makes it
pointless.

"Prevention is always preferable to scanning and removal, and users should
securely configure their PCs and install anti-malware protection to prevent
the installation of spyware and adware in the first place."
http://spywarewarrior.com/asw-test-guide.htm#conclusions

You'll note that everyone in this thread has made one or more of the same
points included in Eric's conclusions, probably because most have read it
or learned from someone who has. They're very like the 'Top Ten list of
[Anti-]Spyware'.

This is the key, which is what Defender was designed to do, not simply
clean up after the fact. It's actually not as good at clean-up as some
others, but combined with IE 7 and a good anti-virus will stop or warn of
most attacks before they can become installed. Samplas' tests assume the
malware are already installed, so that assumption explicitly denies the
ability to block the installation in the first place, which is the
strength of many current anti-malware applications.

Also, note that Eric never attempted another set of tests, likely because
as he indicated the tests themselves have limitations.
http://spywarewarrior.com/asw-test-guide.htm#disclaimers

Bitman

:



:

Cleanup Success Rate for Entry-based Viewpoint:
‧ewido anti-malware: 28.66%
‧Microsoft Windows Defender: 24.84%
‧Lavasoft Ad-Aware: 14.65%
‧Spybot S&D: 12.74%

If we take these figures at face value, then I'd have to conclude:
1. The millions of people continuing to use Adaware and Spybot are wasting
their time (it can't be a cookie issue because they both detect them)
2. My recent visit to the ewido online scanner was probably pointless
3. Defender is making very little impact despite all this effort.

It looks like a battle completely lost. Or have the figures been biased in
some way?

 

[Guest]

Ignorance prevents me from making a sensible contribution to this discussion,
but Ijust wanted to say thank you to those who've tried to address my
questions.

My Norton subscription expires in a few months time, and when it does I
think renewing it will no longer be automatic as it has been in the past.
I'll be looking far more seriously at the alternatives.

 

[Guest]

Why wait?

I terminated my "Snortin' Norton" subscription with extreme prejudice BEFORE
it had expired. With their painfully slow signature updates, unfortunate
fascination with rootkit technology, and repeated vulnerabilities, I no
longer consider as viable *ANY* Symantec anti-threat "solutions".

There are far better choices of the free or cheap varieties to be had.

 

[Guest]

At a fundamental level I think we are in agreement, though for different
reasons.

Though I agree that cookies aren't an important concern today, they are a
legacy of the evolution of spyware and as such are found in many of the
original anti-spyware applications like Spybot Seach & Destroy, even though
that program's author, Patrick Kolla, recommends using the browser's built-in
cookie handling himself.

The more difficult part of the legacy to kill is the idea of 'scanning'
itself, which is outmoded in today's fast paced environment. Scanning is
flawed since it assumes that the infection is already in place, which is the
primary flaw in cases such as Rootkits or other malware which modify the OS
or directly attack the protection software to hide themselves.

With the fast changing nature of vulnerabilities, exploits and malware, the
idea that anything can keep up is obviously rediculous, even with something
like SpyNet, so the capability of recognizing an application's attempt to
install itself and warning the user is the only real defense at the moment.
Moving application developers towards ideas like signing their applications
helps with identifying the source and possible associated risk, but a portion
of this is still a guess.

This means that identifying the actions of the application using real-time
modules or 'agents', combined with whatever known files (signatures) it may
carry and informing the user so they may decide is the only reasonable method
available. Thus most forward thinking antimalware include some sort of active
real-time monitoring as at least a partially proactive alternative to
scanning, with scanning itself merely a 'backup' method primariliy used to
clean the scattered remnants of an infection or other 'dropper' files.

This is also the reason I have little trust or interest in most antimalware
'testing', since it tends to ignore these changes in protection. Performing a
'scan' after installing all of the malware with the real-time protection
disabled is ignoring the primary method antimalware use today. Determining
how well this protection actually works would require testing each malware
attack individually and in some cases in combination, with the results still
somewhat subjective due to the potential differences in human response.

Reality is never simple.

Bitman

So it would appear that we are all in agreement ... more or less. It can be
boiled down to the old saw regarding "Lies, damned lies, and statistics" with
a pinch of "garbage in, garbage out" thrown in for god measure.

This is one reason that I don't give much credence to anti-"spyware"
scanners that home in on cookies (generally benign) to elevate their threat
counts.

I see an advantage in maintaining a dynamic repository/archive of malware
signatures -- which may be one of the ulterior motives of Microsoft SpyNet.

I hold Prevx1 in high regard for their efforts along these lines (and
because it is cheap), but there certainly are other anti-threat tools and
intrusion prevention apps that are tackling the problem of zero-day attacks.

Clearly there isn't a product out there that comes close to thwarting every
possible compromise ... YET! BUt several companies are on the right track.

--
Scott D

Internet Security: http://SecorConsulting.net/pages/security.html
CIS Benchmark: http://SecorConsulting.net/pages/benchmark.html

Alan,

You are asking the 'Holy Grail' question in the Spyware world today. As
you've seen from the other answers in this and other threads, there is no
simple single answer.

You'll note that Samplas has indicated in his other posts that they don't
have a truly representative set of malware to test and in fact don't even
know what it should be. I actually give him credit for making this statement
since it at least shows that he understands the difficulties of ever managing
to perform tests that will result in useful information, let alone are truly
'accurate'.

To understand the problem better, see 'The Spyware Warrior Guide to
Anti-Spyware Testing by Eric L. Howes'. Eric is a highly respected member of
the anti-malware community and is well known for his 'Rouge/Suspect
Anti-Spyware Products' and IESpyAds lists, among others. Among his
conclusions the following is probably the most important, and why many here
have told you repeatedly that turning off Real-time protection makes it
pointless.

"Prevention is always preferable to scanning and removal, and users should
securely configure their PCs and install anti-malware protection to prevent
the installation of spyware and adware in the first place."
http://spywarewarrior.com/asw-test-guide.htm#conclusions

You'll note that everyone in this thread has made one or more of the same
points included in Eric's conclusions, probably because most have read it or
learned from someone who has. They're very like the 'Top Ten list of
[Anti-]Spyware'.

This is the key, which is what Defender was designed to do, not simply clean
up after the fact. It's actually not as good at clean-up as some others, but
combined with IE 7 and a good anti-virus will stop or warn of most attacks
before they can become installed. Samplas' tests assume the malware are
already installed, so that assumption explicitly denies the ability to block
the installation in the first place, which is the strength of many current
anti-malware applications.

Also, note that Eric never attempted another set of tests, likely because as
he indicated the tests themselves have limitations.
http://spywarewarrior.com/asw-test-guide.htm#disclaimers

Bitman

:

Cleanup Success Rate for Entry-based Viewpoint:

‧ewido anti-malware: 28.66%
‧Microsoft Windows Defender: 24.84%
‧Lavasoft Ad-Aware: 14.65%
‧Spybot S&D: 12.74%

If we take these figures at face value, then I'd have to conclude:
1. The millions of people continuing to use Adaware and Spybot are wasting
their time (it can't be a cookie issue because they both detect them)
2. My recent visit to the ewido online scanner was probably pointless
3. Defender is making very little impact despite all this effort.

It looks like a battle completely lost. Or have the figures been biased in
some way?

 

[Guest]

Alan,

The only reason I respond to your posts is that generally your questions are
good ones, with insight that takes most years to develop, though sometimes
the facts are a bit screwed up.

Though it may sound from some of my posts like I'm against user education,
it's actually the exact opposite, though I have little expectation that most
will bother. You on the other hand are in the midst of your 'Why?' phase with
computers, the Internet and malware, which is the most important moment to
gain a true understanding.

I won't suggest any specific products and in fact fully expect you will
determine that for yourself. I do, however, like the fact that you are
questioning your protection options and see the need to spend some time
learning before making a decision.

The only additional thing I'll mention is that most make their decision
based on simplistic criteria without ever understanding the real reasons that
malware, and thus antimalware operate the way they do. Part of this is
history and part is technology, with a good bit of human nature thrown in to
confuse things. All of this is important, so you have to learn to read beyond
the facts to understand why things work the way they do.

Bitman

 

[plun]

Bitman

- Open your eyes and watch this junk yard !

- This is a big "illusion" and a nearly total fiasco.....!

- The users which survives ARE educated about risks and therefore
a lots of them only probably needs a real firewall.

- It´s a real shame that the community cannot spread a mission about
risky sites and social engineering tricks.

- It´s also a shame that this document isn´t spread more widely within
EVERY place which users meets.

http://www.antispywarecoalition.org/documents/safetytips.htm

"Human stupidity"............and a lot ofusers will be reallyy hurt and
sad. Tragic and a real tragedy.

Windows Vista will solve it, bah, "trolls" from Redmond maybe believes
that.

Thats it...

 

[Guest]

Plun,

The problem I see is how to get any of these into the hands of the users who
need them. Though many could use the education, I don't see how we can 'force
feed' this without any control.

This is why I see value in the direction that Defender and other similar
anti-malware are taking, even if it does still need improvement. At least
they may learn something from using it as it prompts and informs them about
changes to their own PC.

It's always helpful to offer such tools to others when they show an
interest, but as I've seen from my own monitoring of manual malware removal
sites, most don't have this interest, even after they've had a major
infection and cleanup experience.

With the free availability, marketing and distribution that Defender will
have, it has the most likely potential for wide deployment, so its
development has the greatest future potential to aid the user population.
Being negative about its abilities without aiding in its improvement is
pointless, unless you happen to be a malware purveyor and wish to see it fail.

I believe that the combination of Internet Explorer 7 and Windows Defender
running on Windows XP Service Pack 2 has the potential to bring things back
in control for those who eventually install it. I only hope that those with
some knowledge can see past their personal prejudice and preferences to the
larger picture and help those around them see the value in these free options
if they have nothing else.

Bitman

Hi

Users understands it if they sees that prOn sites is spreading malware.
Gambling sites also, if you download or use a serial or crack it is
often prepared with the bad guys stuff.

Show users banners with for example Errorsafe/Winfixer, Aha they say.

Siteadvisor is also really good to learn users, Aha again

http://www.siteadvisor.com/

If you also clicks on every file with MSN Messenger and opens mail
attachments you are often a big looser....

I have tested this within a swedish forum and IT IS a BIG, Aha !

-------------------------------------------------------------------
But.... !

Maybe it´s better that MS opens the curtain and shows us TPM, Intel
shows us La Grande and IBM shows us Blue chip. Opens up Windows Vistas
secret with software control with a chip or a USB stick.

And the Trusted Computing Group shows us how they can control every bit
and byte with security chips.

Windows Vista with todays configuration and UAC is a big joke....IMHO.
The bad guys can easily plant a rootkit but with a TPM chip WITH
security checks it is real security.

Done ! Thats it.... Slaves to MS and TCG and all mega company....

Or maybe this is the solution...?! Remove Security Vendors market and
no need for a cleaning community.

And no "market" for p2p file sharing...

regards
plun

Plun,

You're missing an important point, most users will never understand these
things by themselves. It's nice to believe you can educate everyone to the
level of understanding required, but it's fairly obvious it will never
happen.

What is required instead is that the Real-time protection of both browser's
(Phishing, Add-ons) and antimalware (Processes, Registry changes, etc) must
become more informative and easier to understand so the user can learn 'on
the fly' as the issue presents itself. Most people don't wish to take time to
learn, so where the decision can't be made automatically for them, they need
the best information possible in the fewest words to help them make the best
decision.

This is the direction that Defender has taken, though to some extent I think
it's one of the few important things that Microsoft AntiSpyware Beta 1
(Giant) did better. The clarity of the colors and simple explanations of it's
pop-ups was more helpful than the terse and technical format of the WD
ballons and dialogs.

Technically, Defender is a much better written application for protection of
the system and it's own self-preservation. From a user standpoint, however,
it lacks some of the simplicity of use and presentation of information to the
user, which are more important when the user must be involved in the final
decision of an action to take.

With the proper combination of current Windows Updates, strong high-security
configuration of Internet Explorer, and properly configured Windows Defender
and anti-virus, I can wander through whatever malware delivery sites I wish
and not 'catch' anything. I wouldn't recommend it, since new exploits are
found regularly, but the issue is less understanding then application of that
knowledge. This is the direction that Vista is taking, by forcing or warning
heavily of any mis-configuration or risks, both internal and external.

Bitman

Hi

Well, I can only see what I see within
all cleaning forums today including forums within my own country.

I do know Eric L Howes excellent work with Spywarewarrior and also
about his work at Sunbelt Software. After his Spywarewarrior period I
can see a dramatically changed situation from stupid commercial vendors
hijack to real "bad guys" hijacks.

Maybe if all users read Sunbelts blog there where no victims....

It IS impossible to protect users today and ALL users must learn about
"risky sites"....

This is a challenge beacuse of all Security Vendors and also a big
community around this mess...

Websense showed how to perform a Google search with a special syntax
and
it´s rather funny to see all junk... !

I can say that Adaware, Spybot and WD is useless for users frequently
visting risky sites ie prOn, gambling, warez, p2p, hackz, serialz.

Thats it....! And users MUST learn that !

So I believe that the test result is OK....

regards
plun



Alan,

You are asking the 'Holy Grail' question in the Spyware world today. As
you've seen from the other answers in this and other threads, there is no
simple single answer.

You'll note that Samplas has indicated in his other posts that they don't
have a truly representative set of malware to test and in fact don't even
know what it should be. I actually give him credit for making this
statement since it at least shows that he understands the difficulties of
ever managing to perform tests that will result in useful information, let
alone are truly 'accurate'.

To understand the problem better, see 'The Spyware Warrior Guide to
Anti-Spyware Testing by Eric L. Howes'. Eric is a highly respected member
of the anti-malware community and is well known for his 'Rouge/Suspect
Anti-Spyware Products' and IESpyAds lists, among others. Among his
conclusions the following is probably the most important, and why many here
have told you repeatedly that turning off Real-time protection makes it
pointless.

"Prevention is always preferable to scanning and removal, and users should
securely configure their PCs and install anti-malware protection to prevent
the installation of spyware and adware in the first place."
http://spywarewarrior.com/asw-test-guide.htm#conclusions

You'll note that everyone in this thread has made one or more of the same
points included in Eric's conclusions, probably because most have read it
or learned from someone who has. They're very like the 'Top Ten list of
[Anti-]Spyware'.

This is the key, which is what Defender was designed to do, not simply
clean up after the fact. It's actually not as good at clean-up as some
others, but combined with IE 7 and a good anti-virus will stop or warn of
most attacks before they can become installed. Samplas' tests assume the
malware are already installed, so that assumption explicitly denies the
ability to block the installation in the first place, which is the
strength of many current anti-malware applications.

Also, note that Eric never attempted another set of tests, likely because
as he indicated the tests themselves have limitations.
http://spywarewarrior.com/asw-test-guide.htm#disclaimers

Bitman

:



:

Cleanup Success Rate for Entry-based Viewpoint:
‧ewido anti-malware: 28.66%
‧Microsoft Windows Defender: 24.84%
‧Lavasoft Ad-Aware: 14.65%
‧Spybot S&D: 12.74%

If we take these figures at face value, then I'd have to conclude:
1. The millions of people continuing to use Adaware and Spybot are wasting
their time (it can't be a cookie issue because they both detect them)
2. My recent visit to the ewido online scanner was probably pointless
3. Defender is making very little impact despite all this effort.

It looks like a battle completely lost. Or have the figures been biased in
some way?

 

[Guest]

Plun,

I'm not certain if it's the language barrier, but you obviously seem to have
no understanding of what I'm saying, so please stay out of threads where I'm
not directly responding to you.

You may believe what you wish, but the reality is that few care to be
educated as Alan does, so unless we create some draconian police state to
require it, other methods must be found. Human stupidity is a common trait
for many so the only hope is to catch it at the point of contact. You may
wish to believe it can be 'solved', but have no real solution to offer, only
rants and more links that no one ever reads.

Please do me the courtesy of staying out of my threads in the future and I
will do the same for you.

Bitman