Microsoft AntiSpyware - Beta

[Uno Hoo!]

Recently downloaded the beta version of Microsoft's anti-spyware prog. It
immediately found a couple of items of spyware that Adaware had not (C2 Lop
and Powereg scheduler) but also made irritating changes such as changing my
default search engine from Google to MSN and (for some reason) attempting to
change my homepage from Wanadoo back to Freeserve!
I can just about see why it might consider that the Homepage had been
changed from default Freeserve due to some malware - but why, other than
Microsoft's tendency to push it's own products, would an anti-spyware prog
change your default search engine? (I've changed it back again!)

Kev

 

[Vanguard]

Recently downloaded the beta version of Microsoft's anti-spyware prog.
It immediately found a couple of items of spyware that Adaware had not
(C2 Lop and Powereg scheduler) but also made irritating changes such
as changing my default search engine from Google to MSN and (for some
reason) attempting to change my homepage from Wanadoo back to
Freeserve!
I can just about see why it might consider that the Homepage had been
changed from default Freeserve due to some malware - but why, other
than Microsoft's tendency to push it's own products, would an
anti-spyware prog change your default search engine? (I've changed it
back again!)

Kev

Since LOP is a toolbar and hijacks the browser, which includes the home
page, removing LOP probably left entries behind that had to get filled
so MSAS guessed. Did the home page and search engine change before or
after you removed LOP using MSAS? I have MSAS installed and it did not
change these settings: my home page remained the same and my default
search engine is still Google.

 

[kurt wismer]

Recently downloaded the beta version of Microsoft's anti-spyware prog. It
immediately found a couple of items of spyware that Adaware had not (C2 Lop
and Powereg scheduler) but also made irritating changes such as changing my
default search engine from Google to MSN and (for some reason) attempting to
change my homepage from Wanadoo back to Freeserve!
I can just about see why it might consider that the Homepage had been
changed from default Freeserve due to some malware - but why, other than
Microsoft's tendency to push it's own products, would an anti-spyware prog
change your default search engine? (I've changed it back again!)

i believe this qualifies the anti-spyware app as adware - since it
takes steps to promote other services/products...

that is if the anti-spyware app really did those things...

 

[Chas.]

I experienced not such changes with MS Antispyware.

It did find a RAT which I eradicated.

-C

 

[Ian JP Kenefick]

i believe this qualifies the anti-spyware app as adware - since it
takes steps to promote other services/products...

that is if the anti-spyware app really did those things...

MS AntiSpyware is NOT adware. The process which changed your home page
is a routeen to recover from possible Browser Hijackers. This routeen
is run after you remove any piece of malware using MSAS. You can
change the setting to which the program will remover your browser to.
It being a MS product changed yours to msn.com, you can change this
setting to recoever your browser to google.com or whatever you wish.
This is not an attempt on the application to take ownership of your
internet browser.


Regards,
Ian Kenefick
http://www.ik-cs.com

 

[Julian]

Uno Hoo! wrote:

i believe this qualifies the anti-spyware app as adware - since it
takes steps to promote other services/products...

that is if the anti-spyware app really did those things...

It only did that because those are the default settings for MSIE. I
think the defaults set on installation (i.e. customised by an ISP) are
stored in the registry somewhere, but of course if they are there,
scumware could change those values too, so they can't be relied upon in
these circumstances. There is not a lot the app can do but restore the
plain vanilla Microsoft factory default settings.

 

[Uno Hoo!]

Thanks to everyone for your responses. As has been pointed out, MS
Antispyware will reset to factory default setting any changes that it
considers may have been caused by malware. I have now changed the default
settings to Google and so any changes in the future should be back to
Google!

Kev

 

[kurt wismer]

i believe this qualifies the anti-spyware app as adware - since it
takes steps to promote other services/products...

that is if the anti-spyware app really did those things...

MS AntiSpyware is NOT adware. The process which changed your home page
is a routeen to recover from possible Browser Hijackers. This routeen
is run after you remove any piece of malware using MSAS. You can
change the setting to which the program will remover your browser to.
It being a MS product changed yours to msn.com, you can change this
setting to recoever your browser to google.com or whatever you wish.
This is not an attempt on the application to take ownership of your
internet browser.[/QUOTE]

with all due respect, yes it is... you can't honestly believe a setting
that says google is the search engine would be the result of actions
taken by a browser hijacker... changing it from google to msn search is
designed to gain search engine market share from google (just as
bundling IE with the OS was designed to gain browser market share from
netscape)... ms claiming that their product is just resetting things to
factory defaults is a poor excuse and it also admits that the product
is too stupid to recognize legitimate user configuration changes from
those changes made by spyware...

 

[kurt wismer]

It only did that because those are the default settings for MSIE. I
think the defaults set on installation (i.e. customised by an ISP) are
stored in the registry somewhere, but of course if they are there,
scumware could change those values too, so they can't be relied upon in
these circumstances. There is not a lot the app can do but restore the
plain vanilla Microsoft factory default settings.

the app can recognize that a setting that says google is the search
engine of choice is probably not the result of a browser hijacker...

and frankly, if the application doesn't know what the right settings
are supposed to be, it should either ask or not change them at all...

 

[Ian JP Kenefick]

with all due respect, yes it is... you can't honestly believe a setting
that says google is the search engine would be the result of actions
taken by a browser hijacker... changing it from google to msn search is
designed to gain search engine market share from google (just as
bundling IE with the OS was designed to gain browser market share from
netscape)... ms claiming that their product is just resetting things to
factory defaults is a poor excuse and it also admits that the product
is too stupid to recognize legitimate user configuration changes from
those changes made by spyware...

You can change this setting. And it tells you that it is changing the
browser settings so it it not without user consent - which is a
criteria of adware. I agree with what you are saying to a certain
extent - up until the point you classify it as adware.


Regards,
Ian Kenefick
http://www.ik-cs.com
no snake oil here!

 

[Roger Wilco]

MS AntiSpyware is NOT adware. The process which changed your home page
is a routeen to recover from possible Browser Hijackers. This routeen
is run after you remove any piece of malware using MSAS. You can
change the setting to which the program will remover your browser to.
It being a MS product changed yours to msn.com, you can change this
setting to recoever your browser to google.com or whatever you wish.
This is not an attempt on the application to take ownership of your
internet browser.

The default action should be to ask the user, not to set the homepage to
msn.com. Setting it to msn.com merely increases their revenue like any
other hijacker.

 

[Vanguard]

the app can recognize that a setting that says google is the search
engine of choice is probably not the result of a browser hijacker...

and frankly, if the application doesn't know what the right settings
are supposed to be, it should either ask or not change them at all...

I didn't realize Microsoft has a contract with Google to advertise
Google's services (which are supported by advertisers paying GOOGLE, not
Microsoft). Yeah, I visit symantec.com and expect to see a web pages
from Creative Labs but who has web pages for Logitech and so on. Just
because you haven't seen a hijacker that set the home page to Google
doesn't mean there isn't one. Hijackers don't just set the home page to
their own to generate revenue. They could also be configured to simply
irritate users. After all, virus authors never get to see the results
of their work, either.

So how huge a list of "good" URLs to various web sites should Microsoft
maintain? Maybe my desired home page is at Symantec, or Intel, or IBM,
or BestBuy, or whatever. Yeah, like Microsoft is going to maintain some
huge list of good web sites, or a blacklist of bad sites, so it can
figure out if the home page should be left as is. Get real.

About the only choice that wouldn't be self-serving for a home page
would be to reset the browser to the about:blank home page. You think
users wouldn't bitch about that choice, too?

 

[Vanguard]

The default action should be to ask the user, not to set the homepage
to
msn.com. Setting it to msn.com merely increases their revenue like any
other hijacker.

So how does Microsoft make any money from anyone visiting msn.com? I
didn't realize visitors had to pay to see that web site. So what should
Microsoft reset the home page to that has been hijacked since it also
cannot rely on any registry settings? Your personal web page on, say,
Geocities for everyone using MSAS? What do YOU think would be a good
home page to set after recovering from a hijack?

I supposed MSAS could record the home page, and other settings, when it
got installed and encrypt them into a database and then restore to those
values, but then the browser might already be hijacked hence the need
for using MSAS which would then be simply resetting the home page back
to what the hijackware set it to and which you did not want (so MSAS
becomes an assistant to the hijacker). Even if the settings were
encrypted into a database that MSAS stored (after asking the user if it
was okay, but then you're talking about dumb users that would simply say
Yes), what would stop the hijacker from deleting or corrupting the
database so MSAS couldn't use it anymore to reset to defaults. The
defaults are the same as when you first installed IE or first installed
Windows and the included IE. I suppose they could default to
about:blank - but then you'd be bitching about that, too.

The hijack changed your home page, so you want MSAS to remove the
hijacker but still point to the hijacker's home page (so you can get
infected again)? It reset to the install-time defaults. I suppose they
could use microsoft.com but you'd bitch about that, too. They could set
it to about:blank but many would still bitch about that choice. YOUR
preferences have been corrupted by the hijacker so obviously those
values cannot be used in resetting the browser's settings; otherwise,
why would you remove the hijacker if you wanted to continue visiting the
hijacker's home page?

 

[kurt wismer]

You can change this setting.

yeah, and you can uninstall msas too... that's not the point...

And it tells you that it is changing the
browser settings so it it not without user consent - which is a
criteria of adware.

consent is not a criteria for adware... gator is adware and you
generally have to agree to an EULA specifying that it will be installed...

I agree with what you are saying to a certain
extent - up until the point you classify it as adware.

because, apparently, we have a different opinion on what constitutes
adware...

 

[kurt wismer]

So how does Microsoft make any money from anyone visiting msn.com? I
didn't realize visitors had to pay to see that web site.

the money is in the form of advertising revenue...

So what should
Microsoft reset the home page to that has been hijacked since it also
cannot rely on any registry settings?

if they don't know what the appropriate setting should be they should
either ask what it is or simply not change the homepage/search engine
settings...

[snip]

The hijack changed your home page, so you want MSAS to remove the
hijacker but still point to the hijacker's home page (so you can get
infected again)?

lets return to reality here - msas changed the search engine of choice
from google to msn... google didn't hijack anyone's browser...

 

[kurt wismer]

I didn't realize Microsoft has a contract with Google to advertise
Google's services (which are supported by advertisers paying GOOGLE, not
Microsoft).

microsoft has no obligation to point people towards google, that's
true... but they do have an obligation not to unfairly redirect
google's users away from google...

Yeah, I visit symantec.com and expect to see a web pages
from Creative Labs but who has web pages for Logitech and so on. Just
because you haven't seen a hijacker that set the home page to Google
doesn't mean there isn't one. Hijackers don't just set the home page to
their own to generate revenue. They could also be configured to simply
irritate users. After all, virus authors never get to see the results
of their work, either.

since google is not a hijack page, there is a good chance that people
actually *want* to use it... changing it to msn because the user might
theoretically not want it pointing to google is sophistry...

So how huge a list of "good" URLs to various web sites should Microsoft
maintain? Maybe my desired home page is at Symantec, or Intel, or IBM,
or BestBuy, or whatever. Yeah, like Microsoft is going to maintain some
huge list of good web sites, or a blacklist of bad sites, so it can
figure out if the home page should be left as is. Get real.

since msas is already blacklisting software it is not the slightest bit
unreasonable for it to also blacklist the nefarious urls associated
with that blacklisted software...

About the only choice that wouldn't be self-serving for a home page
would be to reset the browser to the about:blank home page. You think
users wouldn't bitch about that choice, too?

you've obviously never heard of interactive software... msas could
*ask* what url to use...

 

[Vanguard]

the money is in the form of advertising revenue...

Which is generated whether you visit or not. Unless you actually visit
those linked sites then they don't know whether or not you've been to
the msn.com site. So don't click on any links (most of which are to a
Microsoft domain, anyway) or visit any sub-pages.

So what should Microsoft reset the home page to that has been
hijacked since it also cannot rely on any registry settings?

if they don't know what the appropriate setting should be they should
either ask what it is or simply not change the homepage/search engine
settings...

[snip]

The hijack changed your home page, so you want MSAS to remove the
hijacker but still point to the hijacker's home page (so you can get
infected again)?

lets return to reality here - msas changed the search engine of choice
from google to msn... google didn't hijack anyone's browser...

How do you know that the hijacker didn't change the search engine, and
changed it to Google? The user might've been using the Microsoft
search, or some other search as the default, the hijacker changes it to
Google, and the user still doesn't get the correct search after using
MSAS. Hijacks do NOT have to be just for profit. They can also be used
to irritate or infuriate, just like viruses. Just because you happen to
use Google as your search engine doesn't mean that MSAS can guess for
you what you want and that the current settings wasn't the effect of a
hijack, or even some other user that walked over to your host while you
left it logged in and changed it for you based on what they like.

If you want MSAS to restore some other search page, home page, or other
settings, then why not configure MSAS to do that? Advanced Tools ->
Browser Restore, select your search page for your profile (or the global
default), and set it to whatever you heart desires. Then MSAS doesn't
have to guess by resetting to install-time defaults. It can reset to
what you told it to.

 

[Vanguard]

you've obviously never heard of interactive software... msas could
*ask* what url to use...

So what is stopping you from doing that? Advanced Tools -> Browser
Restore, select the home page, search page, or whatever browser
settings, and set the value to which MSAS will restore to rather than
having it guess by resorting to install-time defaults.

 

[Julian]

lets return to reality here - msas changed the search engine of choice
from google to msn... google didn't hijack anyone's browser...

I think the reality here is that it is using a generic disinfector.
Search engines are often hijacked, and therefore restoring the default
settings is reasonable. Not much different from a macro virus
disinfector that strips *all* macros out of a document including the
benign ones. Or would you claim a hidden agenda for that as well?

 

[Roger Wilco]

So how does Microsoft make any money from anyone visiting msn.com?

Increasing their number of hits makes them more desireable real estate
for advertisements. Advertising ones own product on ones own site does
not detract from the fact that the advertising space's worth is
increased with visitorship increasage.

(yeah, I made those last too words up) ...

I
didn't realize visitors had to pay to see that web site. So what should
Microsoft reset the home page to that has been hijacked since it also
cannot rely on any registry settings?

About.blank comes to mind if the program is intended to run unattended,
and 'ask the user' comes to mind otherwise. The important thing is that
the user can now change it without it being automatically changed back
by the guardian adware.

[snipped ramblings]

I suppose they could default to
about:blank - but then you'd be bitching about that, too.

Bullshit! Why would I bitch about that? That is a locally stored
resource. Why do you suppose they chose NOT to use it ($$$)?

The hijack changed your home page, so you want MSAS to remove the
hijacker but still point to the hijacker's home page (so you can get
infected again)?

You're being silly.

It reset to the install-time defaults. I suppose they
could use microsoft.com but you'd bitch about that, too.

Yes, I sure would.

They could set
it to about:blank but many would still bitch about that choice.

My only question about that would be 'why didn't they ask the user
first'?

YOUR
preferences have been corrupted by the hijacker so obviously those
values cannot be used in resetting the browser's settings; otherwise,
why would you remove the hijacker if you wanted to continue visiting the
hijacker's home page?

As long as we're being silly, would you complain if the people at Google
paid MS to set 'their' site as the default?