Andre Da Costa said:
PoeBot.Explorer is actually Spyware, check here:
http://www.cybersoft.com/about/alerts.php
I didn't bother to look it up. The OP was the one that said it was a
virus which then put it outside the venue of malware that MSAS was
developed to detect. It was my mistake in believing the OP knew what
they were talking about. The OP also never mentioned if he did an
update and manual scan right after installing MSAS to guarantee the
spyware wasn't already on his system. His inference is that the
real-time scanner didn't detect it (which it probably won't since it
detects *changes* in the monitored critical areas) and that he did not
think of actually performing a scan after installing the product. Also,
if he disabled MSAS so its real-time scanners weren't active and then
the spyware got installed, the real-time scanner probably doesn't go
searching all files and checking the signatures against them since that
would generate a lot of disk activity, something you do by performing a
manual scan.
Having the real-time scanners enabled does not obviate the need to
perform the manual scans to actually check the signatures against the
files. Looking at the settings for the real-time agents (Internet,
System, and Application) shows that none of them go scanning files to
check them against the signatures to detect the entry of spyware. They
only check for changes in critical areas; i.e., they check behavior and
don't go checking the fingerprint of every file. You need to use the
real-time scanners to monitor for *changes* in critical areas AND you
need to periodically perform a scan to exercise the signatures against
your files.
The other problem with MSAS is that it *polls* for those changes. It
does not intercept them. You can edit the hosts file with Notepad, exit
Notepad, and maybe a minute later MSAS will notify you that the hosts
file got changed. The application that performed the change is long
gone. That's why MSAS cannot identify the application or even the
process that made the change because it's probably long gone by the time
MSAS gets around to detecting the change. WinPatrol has the same defect
of polling for changes. Prevx (Home version is free) intercepts the
changes and will hang the application attempting to make the change so
the user can decide whether or not to allow the change at the time the
change is attempted and Prevx also knows the application that is
attempting to perform the change (and why you can tell Prevx to allow to
block that application in the future). I use both MSAS and Prevx
because Prevx is an IDS (intrusion detection system) product that
intercepts suspicious behavior but is not specifically geared to
detecting spyware whereas MSAS is geared to detecting spyware (by using
its manual scan) but notifies the user too late. Prevx isn't for
newbies.
Since anti-virus products now include detection of trojans and some
spyware programs (and some promise to starting including detection of
rootkits), I suppose anti-spyware product might do the same and overlap
but in reverse by including detection of trojans and viruses, but I
won't hold my breath waiting for an all-in-one malware detector program
that catches them all.
