Playing with spywares and scanners

Few days back I found some links for downloading some spyware and I thought to give them a try against my security appliances. I just wanted to see myself how different antispywarse behave against theses samples.
Before I proceed I want to tell very clearly that these are not tests at all, there was no definite criteria set to compare different scanners. All I can say it is just my little play with these spywares and I am just sharing my experience with u and if anybody goes for that he can share it as well and of course the results can be quite different.
I put following appliances on my Notebook on XP SP2.

Real Time Scanners

Antivir with highest heuristics
Spyware doctor trial
Spysweeper trial
OA Armor trial
Ewido beta 4 trial
Windows Defender
SnoopFree
Arovax Shield
AppDefend trial

On-demand scanners

Spybot
Adaware
SuperAntispyware free

Updated all( version and signatures) and made a clean snapshot of my system. Excluded the option for cookies scanning from them( not all scan for these though).

Then I went to some web pages and tried to download following spywares

WinFixer 2006
SpyAxe
UnSpyPC
Some games and video

Best work was done by SpySweeper( Web Shield component of it) it immediately blocked my access to download pages for WinFixer and some other when I clicked the link, very fast action and was the first one to respond. I was really surprised. Also Spyware Doctor ( Process Guard component of it) stopped some of them from downloading by clearing them immediately. Windows Defender did not gave any warning- just sleeping there. Ewido no warning as well that surprised me. BTW Antivir cried too much on WinFixer and SpyAxe and I was happy to see its rapid response. Ewido gave warning but once only however I can't say exactly as by mistake it was disabled and I noted it later and enabled it and it cried once. So don't know exactly how it behaved here. I disabled SpySweeper, Spyware Doctor, ignored the warning of Antivir and downloaded WinFixer, SpyAxe and UnSpyPC.
Now I enabled all scanners again and tried to install them.
Again SpySweeper and SpywareDoctor stopped me multiple times telling rightly about threat and SpywareDoctor's "process guard component" removed some after showing pop ups. Antivir was crying as well but on WinFixer and SpyAxe. SnoopFree gave me warning only once but I think this is pretty useless as it gives same warning for both legitimate and malwares, so there is no way to decide for u whether the software about which it is warning is malware or not. No data base in it. Arovax shield warned immediately when some components added to start up or BHO, however also this is not useful as u have to decide urself what is good and bad. BTW, windows defender just woke up once and told that there is one component added to windows start up that I happily accepted. I ignored all warnings and installed the three spywares ( though I guess not completely as Spyware doctor removed some components). and run a short scan by these "anti-anti-malware scanners" but did not opt to fix anything.
About Online Armor I like it so much but I will say I realized that it is not so useful for an average user like me as it will treat all unknown processes and malware as same. AppDefend even worse as it will cry too much but same for malware and legitimate installations, so I disabled both during installation of these spywares. They are for advanced users only. I will prefer a HIPS that only cries on some potentially dangerous activity, not on all executions and I used in the past and liked the HIPS component of ZA Pro but again I will say OA may be better than this as it covers much more but it will be much useful if it has some data base of malware for real time protection. AppDefend is just too much for any average user.

After this I ran Quick Scan by all scanners.
Spyware Doctor apparently found maximum entries( but I am not expert as all scanners count differently and no way/ time for me to analyze all these, I just tool a look and it was the one who took out maximum registry entries-- and it is my experience even in the past). Spy sweeper was good as well and SuperAntispyware free edition also( best of free scanners). Adaware acceptable results. Spybot very poor and disappointing- my opinion about this is changed now. Ewido and WindowsDefender results were poor so I ran complete scan by them and the results remained poor. Bazooka it never brings out anything but I tolerate only as it scans in a second and BTW it showed one entry "Exploit perlink.biz" ( don't know what is this). I scanned only selected locations by Antivir and it found two signatures of WinFixer and one of SpywareAxe.

I ran security checkup wizard by OA and the results were not so impressive. If found UnSpyMe in start up but missed WinFixer and SpyWareAxe in programme files.

BTW, I was surprised to see one of these, probably UnSpyPC came bundled with Yahoo toolbar although it was clearly mentioned but it doesn't matter. However when I installed it was not installed. It's really too bad, shame on Yahoo( I wonder if it is some trick against Yahoo). Anybody has an idea?

I also ran HijackThis, there was some error while scanning with this, however whatever it scanned I analyzed but two automated analyzers on web and they found nothing. The results were almost same as these were few days back when I did it without spywares on my system, however I did not analyze in detail, may be some error or I missed something.

About the Removal of these spywares I did not check much as I know all scanners will claim that they have removed these components but I am not so expert to check it whether they have actually done it 100% or not. I weill just clean the spywares by SuperAntispyware free edition and will do a new scan by SpySweeper to see what is left over there and will post the result. After that I will RollBack to my clean system.

Below I will post some snapshots of different scanners. At the end I will emphasize again that these are no tests just a bit play as I wanted to see practically how these scanners play on my system There is no offence against any product as well. Also the results can be quite different on ur machine. I got a few malware links only. If anybody has some spyware/ trojan download links, pls PM me. Thanks and pls give ur opinions as well.

 

SpySweeper and Spyware Doctor, spywrae doctor brought out hundreds of registry enteries!

 

Adaware and spybot. Spybot is really disappointing. I am thinking to remove it.

 

Superantispyware, Ewido 4 and Windows defender.
Ewido disappointed me as I never exoected this( it was complete system scan).
Superantispyware might be my first line scanner from now.
Windows Defender, I will say it is an empty scanner. Just some colors. Sure I will remove it. MSAS was much better than this. It seems crap.

 

Antivir and OA.
Antivir i really great. OA- I like it too much but it did not work as I expected.

 

Nice thread there..... Spysweeper being top antispyware, WOW ! Was that OA or OA AV+?

dja2k

 

It was OA( plain) as I used Antivir here. OA is basically a HIPS, I was thinking one can replace his realtime antispyware with it but now I think not so. However it is a nice add-on to it. Similarly Ewido can,t replace antispywares, now I know as some people have suggested here in the past. And windows defender is totally rubbish at the moment.

 

What if you use OA AV+ without any other AV? I could have told you that Windows Defender is Rubbish!

dja2k

 

Nice thread aigle,

Have you tried Prevx or would you? Just curious what the results would be.

 

I did not tried it. I installed Prevx1R long ago but it slowed my system so I remived. Can,t say anything. Ofcourse it will popup on execution of the spyware exes but I don,t know it will clearly label them malware or unknown. If it labels them unknown then it,s not a good protection as any execution control HIPS will give this protection. I might give it a try but time is the matter as I am a bit busy in my studies nad the above play almost took two days. And I am already in clean snapdhot of RollbackRx now.
BTW, I installed NOD 32 trial on default settings. It did not find anything, neither on attempted download nor on scanning of installed file( winfixer and UnSpyPc, it really strange as Antivir immediately caught winfixer the moment I tried to download it.

 

It depends upon how good is AV part of OA plus in catching antispyware but I don,t expect too good as it is basically an antivirus plus OA, no extra antispyware component in it as long as I know but still u can,t predict.

 

I never expected so bad as MSAS i used for long time, it was much more better and I think that would have caught many of these things in real time.
Imagine out of hunfreds of enteried it fif not catch only a single one. I bet even the most stupid antispyware would have caught some of these enteries.

 

There goes to tell you how good the Windows Live OneCare in Windows Vista will be, nothing but Rubbish Rubbish Rubbies!

dja2k

 

I think they will improve defender. Initial results of OneCare are not bad.

 

The AV it uses is KAV, so i expect it should be pretty good at detecting other malware like spyware. I would be curious to see the result myself.

muf

 

Is it possible that running some of the mentioned security programs will somehow "mask" detections by one from the others? For example, if a malware tries to change the Windows HOST file, will all the security programs that supposedly detect changes to it start displaying warnings one by one?

Regards,
Lu Chin

 

Hey aigle,

Great job! Very interesting reading.
Thank you for taking the time to test and post about it.

 

great test, aigle! tho its made me think hard about ewido. perhaps (pure) antispywares arent as obsolete as i once thought.

 

Hi Aigle,

Nice thread Just would like to clear up a couple of the OA comments...

First of all, OA is not really a spyware scanner it is more focusing on alerting for any unknown programs - and trying to minimise those alters by way of the whitelist.

The AV part is the Kaspersky engine. In AV+ it's used during the full system scan, and it will also scan any program OA does not recognise. It uses the standard KAV datasets (not the extended sets) - but we will surface that as an option soon.

If you just compare plain old OA as a spyware scanner the results would be terrible, that's not what it does. Its focus is on preventing new infections (with your help) rather than curing existing ones.

OA should have alerted you, however, when each of these things intsalled. Using the right-click option in the programs screen (assuming that you have program tracking turned on) would have removed the programs and files/reg settings they created. Sort of like a realtime fix-tool (and, thats an aspect we'll be working on some more later).

Now about the popups/whitelist. This is getting a significant update soon. Work is already in progress and we're really going to try and accellerate the updates to that list.


Mike

 

I am surprised by the reactions to Ewido Anti-Malware and MS Windows Defender performance on this thread.

Ewido started out as an anti-trojan tool and is, hopefully, moving towards becoming a viable anti-spyware tool. I purchased Ewido for its anti-trojan capabilities. See the link to various anti-spyware reviews here:

http://www.firewallguide.com/spyware.htm

Search for Ewido at this link and you will come up empty. It will take some time for Ewido to match your expectations. My worry is that in an attempt to become a better anti-spyware product, Ewido will lose ground as an anti-trojan product and a search for Ewido will also come up empty here (currently it does not come up empty):

http://www.firewallguide.com/anti-trojan.htm

If Ewido becomes a mediocre anti-trojan product and a less-than mediocre anti-spyware product that fails to be mentioned in on-line anti-spyware reviews, Grisoft will probably be crushed by MS and other security suite vendors.

Regarding MS Windows Defender, MS took a top anti-spyware product, Giant, and has turned it into a mediocre product. No surprise here. MS is grossly over-extended and I cannot imagine them having a top-of-the-line security suite. However, the majority of home users do not care. Similarly, most SOHO users probably do not care. The corporate world, I believe, does care. Let's see how well MS does there.

bktII

 

It is quite possible. Sometimes conflicts can cause failure of these programmes not to work as they should
There is another issue, some scanners pic the malware before the other, and witll either give a pop up or remove the malware automatically acc to their settings. Now if the malware is already removed by one scanner, other scanners will not give any warning as the malware is removed already.
In my case I usually tried to play with themm together and also singly by disabling the acive protection of one and enabling active protection of the other but still the conflicts can happen esp if the two scanners are of same category.
Also some of them immunize the system etc, so that,s why i tolf these are not test just a little play. But personally I have got a very good idea of these programmes as I have put them against malware first time and if u see somthing urself, u doubt many reviews and big claims by many vendors.

 

@the tester
@WSFuser

Thanks, but I will again repeat it will be better not to say them test as they are really no tests. I know u canb well understand it however some of users here may be misguided by it.

 

OA, BoClean , etc once gave me same idea but after this I have changed my mind.
My security set up now is AV, Firewall, Antispyware ...plus anything/things I like.
( BTW, I wish I could try BoClean!)

 

Thanks Mike! BTW u might have remebered me from ur forums. I am thankful to u for giving me the key for this trial. So I feel sorry to write any thing against OA but I will feel more sorry if I hide my feelings annd facts. And I know very well u are really a fair person, not just a product represetative.

U are right and I understand it but u know I tested it because of some phrases I read " almost all u need", "a revolutionary product" etc. No Offence by the way.
Also I think nthe white list needs massive update but personally I well stress more on black list.

I hope I will try to run a trial of it when I get some time in future.

Preventing new infections is one essential part of any AS as well and I did tried to compare OA in this regard actually. ( unfortunatelly most of them are very poor in thsi regard).Also I don,t know how much help it wants from me and average user is usually helpless in thgis regard.

It did alerted me when I ran the exe files of these spywares but the alert was very similar to the alert that I get when I run the exe install file of many ligitimate software. So I don,t get excited on it. It,s a simple execution control that mnay programmes are providing. I have tried ZAP and like it but again here my biggest annoyance was that ZA Pro,s alerts many times will not tell about teh executing programme, is it good or bad( and I think OZ does not tell at all, rather worse in this regard).
On the other hand Spyware doctor was best in thsi reagrd. It has a process guard component, when I ran the ese files, it immediately jumped and automatically cleared the malware file with a small pop up( however there was no option to do it in an interactive way). SpySweeper acted in another way even at an earlier stage, it just poped op and stopped mt access to download link with a brisk pop up. And when I did installed malware it warned me clearly that it has found a malware ans also some known malwrae / some uknown start up enteries. Ideally I would have like to combine real time protection of both these as they are a bit different- the combo will be nice provided no conflicts.
I has AppDefend free version and it gives even more pop ups than OA but again almost of little use to me as I can,t guesss what is malware and what is legitimate exe. So I thing I can get same thing from PG Free and AppDefend in this area if I want mainly execution precaution dependant on my own knowledge only.

I will say u need to put a rather good blacklist rathet than whitellist. Both are not exaustti9ve but i feel blacklist is smaller than white list and gives u good sense of security and less annoyances with less pop ups.

Finally I will say OA is a great programme but pls add a blacklist to the pop ups and I bet it will kill any other real time antispyware scanner. I have many other things in my mind about the improvement but I am not a programmmer. To suggest is easy but to write a good piece of software is .....toooooo difficult- just my thinking.
Thanks.

 

So what would you say is better, spyware doctor or spysweeper? If I remember correctly, spyware doctor used to be a memory hug, but they fixed that already. As for spysweeper, don't know how it is now.

dja2k