dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2470
eburger68
Premium Member
join:2001-04-28

3 recommendations

eburger68

Premium Member

New Anti-Spyware Tests

Hi All:

Over the past 2 days I've performed yet another round of tests with 20 anti-spyware scanners, this time using a new collection of spyware and adware picked up from my favorite "test" site, "Innovators of Wrestling" (iowrestling.com). As before, I identified a core set of "critical" detections and monitored how throughly each anti-spyware scanner removed the "critical" detections. You can find a list of those detections on the Guide page here:

»spywarewarrior.com/asw-t ··· ections2

The results of this new round of tests can be found on these two pages:

»spywarewarrior.com/asw-t ··· ts-3.htm
»spywarewarrior.com/asw-t ··· ts-4.htm

As I requested before, please have a look at the Guide page before proceeding to the results pages. The Guide page has been revised to account for these new tests. As always, the "Disclaimers" section on the Guide page is "must read":

»spywarewarrior.com/asw-t ··· claimers

One aspect of these latest tests worth noting: the collection of spyware and adware used for this round of tests included some especially nasty software that proved difficult, if not next to impossible to remove for the anti-spyware scanners. In particular, the key processes for the following adware/spyware was not killable at all:

IBIS Toolbar/Websearch
IBIS Toolbar/WinTools

The executables were simply too well protected in memory. Even the DiamondCS process tools APM and APT could not remove those processes and modules from memory.

The standard procedure that anti-spyware scanners use in this situation is to remove the files on reboot by configuring the scanners to run through the HKLM\...\RunOnce key. Not a single anti-spyware scanner succeeded in doing that, however, because one of the above processes -- or perhaps it was the VX2 3dsdpi.dll module that was attached to the Winlogon process, a core Windows system process -- blocked changes to the RunOnce key. Still worse, the files mentioned above could not even be removed in Safe Mode.

This all is a potentially huge problem. The only way I succeeded in removing those files was to boot to a command line using SysInternals' ERD Commander 2000. A bootable CD could be used to achieve the same result.

Finally, before anyone asks, let me indicate right now that I am not going to put together a table summarizing the combined results of both rounds of tests. Were I to do so, that table would immediately be taken as a definitive ranking of the products tested, and that kind of ranking is simply not warranted solely on the basis of these two rounds of tests. Moreover, I know that once that table appeared, people would link only to the table, and the rest of the critical information and context regarding these tests would get lost in the rush to judgment.

In any case, questions, comments, and suggestions are always welcome.

Best,

Eric L. Howes

hayc59
Your a Daisy
Premium Member
join:2001-02-26

hayc59

Premium Member

Thank You Eric!!:)

dp
MVM
join:2000-12-08
Greensburg, PA

1 recommendation

dp to eburger68

MVM

to eburger68
Thanks for keeping us all informed Eric. Unfortunately, nasty spyware just keeps getting worse.

Owlbet
Ignite the Ice
Premium Member
join:2002-09-24
Palmer, AK

Owlbet to eburger68

Premium Member

to eburger68
Eric:

Well done! Thanks to your hard work we've become more informed and educated to the dangers that lurk in the dark recesses of the internet.

Owl

mers2
Premium Member
join:2004-03-20
USA

mers2 to eburger68

Premium Member

to eburger68
Once again you've gone above and beyond the call. Thank you for the very informative test results. Computer users now have some valid information to make choices on.
sean2002
join:2002-03-03
Ocala, FL

sean2002

Member

Looks Like the only way to prevent some of the nasty spyware is to stop it from installing, this is where applications like SSM and process guard really come in handy
Indy Sabre
Sabre Rider From Indianapolis
join:2003-10-02

Indy Sabre

Member

Would these nasties be prevented from installing if you were on a limted user account?

If they were active on a limted user account would deleting that specific account get rid of them?

keith2468
Premium Member
join:2001-02-03
Winnipeg, MB

keith2468 to eburger68

Premium Member

to eburger68
Excellent work Eric.

So of the free and donationware products, so far Ad-aware SE is doing the best?

And overall GiantAS is doing the best, and is available a full-function 15 day trial, and USD30 per year after that.
Terikan
join:2004-10-07
Russell, KS

Terikan to eburger68

Member

to eburger68
no Indy, at least not for most.

I believe the newest spybot has good ad/spyware prevention in it, maybe we should do some comparisons on that and see who comes out on top.
oldhand
Premium Member
join:2003-05-16
Saugus, MA

oldhand to eburger68

Premium Member

to eburger68

What happened to Norton?

As many consumers appear to believe that the Symantec/Norton tools are "the best", would you please consider testing their current offering? It might open some eyes...

MRNVGVUP
join:2003-04-12
Sharon, PA

MRNVGVUP to eburger68

Member

to eburger68

Re: New Anti-Spyware Tests

Well, I am willing to make a claim and not beat around the bush.

Run and use Spybot Search & Destroy and Ad-Aware SE and you you have pretty dang solid game plan against *'ware!

Also, I use SpySweeper... this one is not free ($30), but, it has features the others do not. So, I run all three. Finally, use Mozilla Firefox (Amono's build rocks!) and you will be in a right nice position.

There, forget the reviews.. because we all don't have weeks and weeks to listen to puffed up BS and analysis etc. etc.

Glad to be of help!
huntandpeck
join:2002-01-01
Alexandria, VA

huntandpeck to eburger68

Member

to eburger68
I took eburger68's data and put it in a spreadsheet for further analysis using an OR function. I don't guarantee that I have the best combinations because it would take forever to test every possible one, but these seem to give a lead on what one should try. I'd be happy to post the spreadsheet here for others to look at, but I do not know if it is allowed:

Num. Combination
-------------------
217 Pest Patrol, Giant AS
241 Ad-aware SE, Pest Patrol, Giant AS
257 Ad-aware SE, Spy Sweeper, Pest Patrol, Giant AS
267 Ad-aware SE, Spy Sweeper, Pest Patrol, Giant AS, SW Doctor
270 Ad-aware SE, Spy Sweeper, Pest Patrol, Giant AS, SW Doctor, SW Cop
-------------------
285 Total

Num. shows the number of different spyware covered by the various combinations of programs out of a total of 285.
eburger68
Premium Member
join:2001-04-28

1 edit

eburger68

Premium Member

huntandpeck:

Those are some interesting numbers that you put together. The most telling one is the combination of 6 programs that you came up with to remove 270 of the 285 detections.

One way to look at that number is to recognize that to get most of it, you'd need 6 programs. Think about that. 6 programs. And even then you'd have junk left over.

Another way to look at it is to recognize that any one of those six programs would catch something that the others had not. That in itself is interesting, given the number of posts that we see from folks who claim that XYZ anti-spyware program is "better" than ABC anti-spyware program because XYZ anti-spyware program found things that ABC did not.

As I've said several times now in other threads, you can run any combination of anti-spyware in any order and the last in the chain will almost always find something the others did not. That's true even when you're running SIX anti-spyware programs back to back.

Something to remember the next time you see someone touting a particular anti-spyware program simply because it found something that Ad-aware, Spy Sweeper, Pest Patrol, or Spybot S&D did not.

Eric L. Howes
huntandpeck
join:2002-01-01
Alexandria, VA

huntandpeck

Member

As it is, there seems to be 15 that aren't detected by anything:

WCPR-01
WCPR-02
WCPR-03
WCPR-04
MISC-02
IBWS-03
IBWT-02
MIDL-02
MIDL-03
NLIT-01
NLIT-02
TVM-03
VX2L-01
VX2L-02
MISC-03

This means that my combination of the six programs dectects all that currently can be detected (285-270=15). I haven't been plagued with spyware because I tend to stick to mainstream web sites, but I was curious whether any combinations from your lists would cover everything in case I needed it.

Cliff Otto

2kmaro
Think

join:2000-07-11
Oklahoma City, OK

2kmaro to eburger68

to eburger68
Excellent points. Oh, and if anyone is wondering what Giant AntiSpyware looks like in action on a system - check out that pic above.

That was an innocent capture - some ActiveX over at the iPods site. But since I really didn't want to sign up for iTunes, I blocked it anyhow. Cool.

Glad some of you already did the footwork on determining what an effective combination of tools would be, I was thinking of doing the same thing. Now, since I already have PestPatrol, Giant AS, Spybot S&D, AdAware, and a few more, at least I won't have to buy all 6 to have a full tool box.

But it seems most (even Giant AS) make claims they cannot back up, or at least eburger68 See Profiles tests don't back up: that they remove everything in the way of malicious spyware.
eburger68
Premium Member
join:2001-04-28

eburger68 to huntandpeck

Premium Member

to huntandpeck
Cliff:

Unfortunately, I don't think you're going to find a nifty combo of anti-spyware programs that will remove everything, and that in itself is a depressing realization. Whenever I clean up a spyware infested box, I know in advance that I'll be doing a good amount of the removal myself. The anti-spyware scanners are useful for automating much of the removal and for identifying just what's on the box. Nothing can subsitute for a good persual of the hard drive and Registry yourself, though.

One thing I ought to note: many of the programs detected some of the items you list -- they just couldn't remove them. That's esp. true of the IBIS/Wintools and IBIS/Websearch items.

Best,

Eric L. Howes
huntandpeck
join:2002-01-01
Alexandria, VA

huntandpeck

Member

One thing I ought to note: many of the programs detected some of the items you list -- they just couldn't remove them. That's esp. true of the IBIS/Wintools and IBIS/Websearch items.
Eric, thanks for clearing up that misunderstanding on my part.

One frequently finds responses to people who are being plagued by spyware that suggest they run program A, then program B, but I think what I found, based on your work, is that the programs I've heard touted aren't the best starting point. One could go broke, though, buying all these programs. I guess the next step would be to try to find the least expensive combibations(s).

Cliff Otto
goddan
join:2001-01-15
Quaker Hill, CT

goddan to eburger68

Member

to eburger68
Great stuff! Thank you, Eric!

I took huntandpeck's analysis a little further, and used Excel to generate a table of all possible combinations of 2 programs. I got 22 that did better than Giant AS alone (which was 197 hits). The "classic" Ad-aware/Spybot combo only scored 168. But I would like to reinforce Eric's disclaimers. He did a good job on the limits of this kind of test--read it! Also, this only covers detect-and-remove, not the programs' ability to stop infection in the first place (clearly important for IBIS!). That said, here's what I got from his data (sorry for not aligning columns--I'm better with Excel than HTML):

Program 1 + Program2 = Hits
Giant AS + Ad-aware SE = 229
Giant AS + Spy Sweeper = 226
Giant AS + SW Doctor = 222
Spy Sweeper + SW Doctor = 222
Giant AS + Pest Patrol = 217
Giant AS + SpyBouncer = 214
Giant AS + Spybot S&D = 212
Giant AS + ZeroSW = 211
Giant AS + SWStormer = 211
Giant AS + SW COP = 210
Giant AS + XoftSpy = 208
Ad-aware SE + SW Doctor = 207
Giant AS + NoAdware = 206
Giant AS + Aluria SE = 206
Giant AS + SpySubtract = 205
Giant AS + AntiSpy = 204
Giant AS + X-Cleaner = 202
Giant AS + SK 2005 = 202
Giant AS + McAfee AS = 201
Giant AS + SpyHunter = 201
Giant AS + BPS SWR = 201

I did get 287 possible hits, not 285, but that should be close enough!
cp70
join:2004-10-08
Watertown, NY

cp70 to eburger68

Member

to eburger68
Im pretty new to internet security so dont flame me for being ignorant . I take it from the posts above that people are using more than 1 anti-spyware program .

How many scanners can a system safely handle without causing errors and crashing each other ? Can you also use more than 1 antivirus program ?

Seems like you would need a ton of memory just to have that many diffrent scanners & processes running at once in the background. I know you can have more than 1 firewall cause im behind 4 .

Damn i thought McAfee firewall + & Antivirus with Webroot Spysweeper was expensive enough . Now what a major memory upgrade & 20 more software programs .

Kinda depressing .

muf9
Captain of the axe
Premium Member
join:2003-01-04
uk

muf9 to eburger68

Premium Member

to eburger68
said by eburger68:
One thing I ought to note: many of the programs detected some of the items you list -- they just couldn't remove them. That's esp. true of the IBIS/Wintools and IBIS/Websearch items.
Eric, You are probably aware that TrojanHunter is expanding into the adaware field. If i could point you to this thread.
»Let's talk...
It explains that TrojanHunter can deal with the IBIS/Wintools and IBIS/Websearch items. I know TrjanHunter has a lot of catching up to do and i suspect if tested with the malware in your recent tests may not fair as well overall as say a dedicated Anti-spyware application, but it is comforting to know there is an application out there that can handle these particularly nasty items.

muf
VirtualLarry
Premium Member
join:2003-08-01

VirtualLarry to cp70

Premium Member

to cp70
said by cp70:
How many scanners can a system safely handle without causing errors and crashing each other?
Most of them aren't real-time resident, they are on-demand scanners.
said by cp70:
Can you also use more than 1 antivirus program ?
Sure, although I personally recommend only having one being enabled for real-time resident scanning.
said by cp70:
Seems like you would need a ton of memory just to have that many diffrent scanners & processes running at once in the background. I know you can have more than 1 firewall cause im behind 4 .
You are running four software firewalls, on the same machine, at once??? That's quite remarkable. I'm curious which ones they are, and how they fare. It is highly unlikely that a selection of four gives any greater security than one, if properly configured. You may actually be reducing your network security in some cases.
said by cp70:
Damn i thought McAfee firewall + & Antivirus with Webroot Spysweeper was expensive enough . Now what a major memory upgrade & 20 more software programs .
Many, if not most, of the generally well-recognized and effective on-demand anti-spyware scanners, are free for limited personal use.

Khaine
join:2003-03-03
Australia

Khaine to eburger68

Member

to eburger68
Thanks eric

John2g
Qui Tacet Consentit
Premium Member
join:2001-08-10
England

John2g to eburger68

Premium Member

to eburger68
said by eburger68:

One thing I ought to note: many of the programs detected some of the items you list -- they just couldn't remove them. That's esp. true of the IBIS/Wintools and IBIS/Websearch items.
Those are 2 reasons that I use BOCLean. It removes them both completely.

muf9
Captain of the axe
Premium Member
join:2003-01-04
uk

muf9

Premium Member

said by John2g:
Those are 2 reasons that I use BOCLean. It removes them both completely.
Thanks John. I suspected as much. So both BOClean and TrojanHunter remove them. I have both application's. Lucky me. And i suspect there are more application's out there that can, but most likely AV and AT apps.

muf
cp70
join:2004-10-08
Watertown, NY

cp70 to VirtualLarry

Member

to VirtualLarry
I am running a Wireless connection firewall , XP SP2 firewall , McAfee firewall + , Router firewall . All ports appear stealth according to BBR port tests . Havent had a single problem with any of them .