Why I uninstalled MSAS

[.]

I was testing MSAS on two computers with WinXP. I have removed it because
of two primary problems.

One: No matter how I set the options, it started every time windows
started. I prefer to have complete control over which programs start with
windows startup. The program was not it the start-up folder under Programs
in the Start Menu. Neither did it appear in MSConfig to disable. I don't
need full time protection from spyware because I'm the only user of my
computer and there is very little chance I'll infect my computer. All I
wanted from MSAS was another program (I already run Spybot and Ad-Aware
regularly) to occasionally scan the computer and clear tracks.

Two: On one of the computers, after turning MSAS off in the system tray, it
kept coming back on. I would turn it off again and it would come back on.
Again I don't like have programs on the computer that I can't control. I
want to be able to shut that program down to have resources for games and
whatever else I'm doing on the computer.

I appreciate that MS is trying to further secure its customer's computers.
However I do not want a program I can't control. There are other programs
that serve the same purpose, are equally as effective, without any hassles.
For now, I will not use MSAS. I may look in on it again in the future to
see if it still has the issues I didn't like, but unless they fix these
issues I will not use the program and I will not recommend it to friends and
family.

Jim W.

 

[Bill Sanderson]

Jim - your observations of the action of the product are accurate.

If you need to disable it from starting, either removing it from the start
location in the registry (you can see this location from the System
Explorers, but it won't allow you to disable it (!))

Or, following the workaround instructions in this KB article will do it:

http://support.microsoft.com/kb/892375 End users may be prompted to allow or
block administrative actions that originate from a central management tool
after they install Windows AntiSpyware (Beta) on a computer that is managed
by Systems Management Server 2003

Your observation about the system tray icon is also a known issue. It comes
back after a scheduled scan, and perhaps at other times, as well, even if
set to not show.

This is a beta program, and these issues are probably typical of things one
might encounter in a not-fully-tested program. It is quite possible that
turning real-time protection on and off without requiring a system restart
is not technically possible--or perhaps it simply isn't possible with the
installation technology presently used by the program--which may change.

At any rate, I can't disagree with your observations--they are accurate. I
hope you'll re-test when beta2 is released.

 

[Michael Jennings]

Jim W could fix what he objects to if he wished to.
The user ought to feel he has some control - I think that too.
I hope that by RTM time (if not sooner) regedit isn't needed.

Export the Run key (this is to back it up).

The location in the registry is:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

Then prevent MSAS startup.

The value and data to delete in the Run key:
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""

 

[Richard]

I was testing MSAS on two computers with WinXP. I have removed it because
of two primary problems.

One: No matter how I set the options, it started every time windows
started. I prefer to have complete control over which programs start with
windows startup. The program was not it the start-up folder under
Programs in the Start Menu. Neither did it appear in MSConfig to disable.
I don't need full time protection from spyware because I'm the only user
of my computer and there is very little chance I'll infect my computer.
All I wanted from MSAS was another program (I already run Spybot and
Ad-Aware regularly) to occasionally scan the computer and clear tracks.

Two: On one of the computers, after turning MSAS off in the system tray,
it kept coming back on. I would turn it off again and it would come back
on. Again I don't like have programs on the computer that I can't control.
I want to be able to shut that program down to have resources for games
and whatever else I'm doing on the computer.

I appreciate that MS is trying to further secure its customer's computers.
However I do not want a program I can't control. There are other programs
that serve the same purpose, are equally as effective, without any
hassles. For now, I will not use MSAS. I may look in on it again in the
future to see if it still has the issues I didn't like, but unless they
fix these issues I will not use the program and I will not recommend it to
friends and family.

Jim W.

Jim,
I am with you 100% on this. I did not realise that it was a problem to
stop MSAS from starting. This is because I use a start up manager to control
start ups and processes. http://codestuff.mirrorz.com/ Using this program
to control start-ups I can run a lean, if somewhat elderly, machine.

So in my case MSAS stays off until I invoke it. Once run it can be stopped
by right clicking the information area icon and choosing disable.

FWIW, to speed up my boot process the only third party programs that I allow
at start-up are my Antivirus program and tablet mouse driver.

Richard.

 

[Bill Sanderson]

Although I agree with Jim W about his description of the program, I don't
agree about the wisdom of keeping it turned off.

The real-time protection afforded by the checkpoints and agents in Microsoft
Antispyware should be, for the average user, an excellent preventative
measure not only for the spyware that the program is aimed at, but also
helpful in alerting them to other activity on their machine they may not be
aware of. For example, Quicktime reinstalls a startup task apparently
periodically during a playback session. I had removed this task with
Microsoft Antispyware, but watched a QT movie. The task came back at the
start of the movie (and was auto-allowed by Microsoft Antispyware as
"safe.") and again further through the playback.

I like having that real-time protection in place--perhaps even more than I
like having my antivirus running.

 

[RobbieA]

Hi Bill:

I too think the idea is bad, but wondered why he bothered
posting the info as he did. It's a Beta, it too is
currently Free and he said he wasn't too worried about
sptware anyway...?

Again there might be something about the info that you or
the other knowlegeable folks might pick up on but for us
casual "non-savvy" types most of what he says against
this Beta looks like..."Horsefeathers"...

RobbieA

 

[JD]

I liked the suggestion by Jim W. about using MSAS like other antispyware
programs, that is running it when I want to but leaving off the real time
protection.
However, I'm confused about how to accomplish this. I've picked up two
"methods" from earlier posts.
1.
From KB Article 892350:
Turn off Real Time Monitoring
In an enterprise-managed environment, you can work around the problem by
turning off the "Real-time spyware threat protection" feature in Windows
AntiSpyware (Beta).
To do this, follow these steps:
1. In the the notification area at the far right of the taskbar, right-click
the Microsoft Windows AntiSpyware (beta1) icon, point to Security Agents
Status, and then click Disable Real-Time Protection.
2. Delete the following registry value:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{9EF34FF2-3396-4527-9D27-04C8C1C67806}
2.
From a ng post:
To prevent MSAS startup, delete the Run key from the registry
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
Does Method 1 apply only to users "in an enterprise-managed environment,"
and thus not to typical home users?
Should BOTH of the referenced registry keys be deleted?

 

[Bill Sanderson]

I'm not sure of the details on this myself. I did the second method on my
mother-in-laws machine when I installed Microsoft Antispyware and ran it.
Her machine was clean, and the idea of any popup of any kind on her machine
is anathema to me--she can't see all that well, and it would not be helpful
at all.

The first method, though is the one published by Microsoft. What the
difference is, and what happens to that service if you run it in the absence
of the hook, I'm not sure. On systems where there is a perceptable
performance hit associated with real-time protection in place, method 1
alleviates that performance hit.

I don't think the way this works is satisfactory to anyone, and hope to see
some change in the course of the beta. I'm not sure whether
removing/emplacing the shell hook on the fly is technically impossible, or
just not possible with the particular installer toolset used for the current
beta product.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

I liked the suggestion by Jim W. about using MSAS like other antispyware
programs, that is running it when I want to but leaving off the real time
protection.
However, I'm confused about how to accomplish this. I've picked up two
"methods" from earlier posts.
1.
From KB Article 892350:
Turn off Real Time Monitoring
In an enterprise-managed environment, you can work around the problem by
turning off the "Real-time spyware threat protection" feature in Windows
AntiSpyware (Beta).
To do this, follow these steps:
1. In the the notification area at the far right of the taskbar,
right-click the Microsoft Windows AntiSpyware (beta1) icon, point to
Security Agents Status, and then click Disable Real-Time Protection.
2. Delete the following registry value:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{9EF34FF2-3396-4527-9D27-04C8C1C67806}
2.
From a ng post:
To prevent MSAS startup, delete the Run key from the registry
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
Does Method 1 apply only to users "in an enterprise-managed environment,"
and thus not to typical home users?
Should BOTH of the referenced registry keys be deleted?

Although I agree with Jim W about his description of the program, I don't
agree about the wisdom of keeping it turned off.

The real-time protection afforded by the checkpoints and agents in
Microsoft Antispyware should be, for the average user, an excellent
preventative measure not only for the spyware that the program is aimed
at, but also helpful in alerting them to other activity on their machine
they may not be aware of. For example, Quicktime reinstalls a startup
task apparently periodically during a playback session. I had removed
this task with Microsoft Antispyware, but watched a QT movie. The task
came back at the start of the movie (and was auto-allowed by Microsoft
Antispyware as "safe.") and again further through the playback.

I like having that real-time protection in place--perhaps even more than
I like having my antivirus running.

 

[JD]

Thanks, Bill, for your thoughtful reply. Let's see if others weigh in on the
best procedure--or whether it is really not advisable in any case. I noted
your earlier comment that you liked having the real time protection running
on your own computer, and it is probably a good thing for most of us.
As to the "performance hit," it isn't serious: a little delay in launching
Office applications and in closing IE's properties page. I haven't really
noticed much else. No doubt I should leave well enough alone.
BTW, MSAS strikes me as a wonderful program for Microsoft to be providing
gratis. And the current issue of PC World, reviewing a number of antispy
programs, gives it a big thumbs up!

I'm not sure of the details on this myself. I did the second method on my
mother-in-laws machine when I installed Microsoft Antispyware and ran it.
Her machine was clean, and the idea of any popup of any kind on her
machine is anathema to me--she can't see all that well, and it would not
be helpful at all.

The first method, though is the one published by Microsoft. What the
difference is, and what happens to that service if you run it in the
absence of the hook, I'm not sure. On systems where there is a
perceptable performance hit associated with real-time protection in place,
method 1 alleviates that performance hit.

I don't think the way this works is satisfactory to anyone, and hope to
see some change in the course of the beta. I'm not sure whether
removing/emplacing the shell hook on the fly is technically impossible, or
just not possible with the particular installer toolset used for the
current beta product.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

I liked the suggestion by Jim W. about using MSAS like other antispyware
programs, that is running it when I want to but leaving off the real time
protection.
However, I'm confused about how to accomplish this. I've picked up two
"methods" from earlier posts.
1.
From KB Article 892350:
Turn off Real Time Monitoring
In an enterprise-managed environment, you can work around the problem by
turning off the "Real-time spyware threat protection" feature in Windows
AntiSpyware (Beta).
To do this, follow these steps:
1. In the the notification area at the far right of the taskbar,
right-click the Microsoft Windows AntiSpyware (beta1) icon, point to
Security Agents Status, and then click Disable Real-Time Protection.
2. Delete the following registry value:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{9EF34FF2-3396-4527-9D27-04C8C1C67806}
2.
From a ng post:
To prevent MSAS startup, delete the Run key from the registry
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
Does Method 1 apply only to users "in an enterprise-managed environment,"
and thus not to typical home users?
Should BOTH of the referenced registry keys be deleted?

Although I agree with Jim W about his description of the program, I
don't agree about the wisdom of keeping it turned off.

The real-time protection afforded by the checkpoints and agents in
Microsoft Antispyware should be, for the average user, an excellent
preventative measure not only for the spyware that the program is aimed
at, but also helpful in alerting them to other activity on their machine
they may not be aware of. For example, Quicktime reinstalls a startup
task apparently periodically during a playback session. I had removed
this task with Microsoft Antispyware, but watched a QT movie. The task
came back at the start of the movie (and was auto-allowed by Microsoft
Antispyware as "safe.") and again further through the playback.

I like having that real-time protection in place--perhaps even more than
I like having my antivirus running.

 

[.]

I'm not worried about spyware because I run other anti-spyware programs and
practice safe computing (as safe as anyone can these days). I understand it
is still a Beta. I'll take another look at it when it goes final. If I see
the same problems, I will not use the program.

Jim W.

 

[Michael Jennings]

Well, I posted that you should EXPORT the Run key.
You say someone (I suppose me?) said to delete it. NO!
Exporting creates a .reg file copy in your file system.
After you have exported the Run key AND can scoot
it (exactly as it was) back into the registry, then you can
delete the VALUE in the key launches MSAS on startup.

Real-time protection is there when you request it, then.
If you don't know what you're doing, leave it alone.

2.
From a ng post:
To prevent MSAS startup, delete the Run key from the registry
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
Does Method 1 apply only to users "in an enterprise-managed environment,"
and thus not to typical home users?
Should BOTH of the referenced registry keys be deleted?

Although I agree with Jim W about his description of the program, I don't
agree about the wisdom of keeping it turned off.

The real-time protection afforded by the checkpoints and agents in
Microsoft Antispyware should be, for the average user, an excellent
preventative measure not only for the spyware that the program is aimed
at, but also helpful in alerting them to other activity on their machine
they may not be aware of. For example, Quicktime reinstalls a startup
task apparently periodically during a playback session. I had removed
this task with Microsoft Antispyware, but watched a QT movie. The task
came back at the start of the movie (and was auto-allowed by Microsoft
Antispyware as "safe.") and again further through the playback.

I like having that real-time protection in place--perhaps even more than
I like having my antivirus running.