powerfull antispyware

I wonder which one(s) will survive my boot-to-restore.

 

SAS pro for me is top notch software, and it's so light!

 

I tried the free version of SAS and then trialed Counterspy v2. Bought Counterspy to run with NOD32.

 

You are missing the point. Sure they won't survive a reboot. But until you actually reboot your PC might have sent all your saved passwords to a random irc channel, relayed a few thousand spam mails and distributed child porn around the world.

So reverting the system to a clean state every reboot is not a solution. At least it is not in my opinion.

 

Andreas,

I apologize for asking, but are you the Andreas Haak of Emsi? If so, how is your health (and welcome on-line again)?

Reg K

 

No, I'm not missing the point, if you read my post #23 of this thread. I just don't get what I would really like to have, because such software doesn't exist yet.

My actual boot-to-restore still forces me to use security softwares to stop the installation/execution of infections.
I want an IMMEDIATE stop of ANY unauthorized object on my system partition, not on reboot and that means : no installation, no execution and no removal.
Anti-Executable does this already, but only for executable objects, I want a much BIGGER AE.

 

ErikAlbert, I agree with you but that doesn't exist right now, And the original question was "which is the most powerful Antispyware"

 

As above, but add Spybot Search and Destroy. It's free (but do donate something through PayPal if you can afford it) and it requires you to manually scan the system on a periodic basis. I had a system last week, which would occasionally jam up for no reason. Ran S&D and that would halt halfway through. Kept rerunning it 3 or 4 times, and it made it all the way through, completely fixing the PC in question. Also MJ Registry Watcher is good at spotting spyware/trojan behaviour and only costs 4 GBP (a bit of a plug for me there!)

 

Easter, already said that AE might be strong enough already as an unconventional Anti-Spyware.

 

Heres my vote for SUPERAntiSpyware.

 

Even that won't help. Take SQL Slammer for example. No files, no registry keys, nothing.

 

My vote is easily SAS
because it utilizes some under the hood technology that none of the other antispyware softwares use(despite their claims to be state of the art).

This is proven by its overall level of effectiveness against kernel mode rootkit malwares as this is where SAS leaves allcomers royally embarassed

Principal example being the Rustock B trojan which is now approaching its first birthday.

How many antispyware softwares can detect(let alone remove)this kernel mode trojan when it is active on a machine ?

Spybot and Adaware....no chance.

SpySweeper,CounterSpy and Spyware Doctor(the big 3) are surprisingly incapable despite claims of *advanced* technology and detections in the sales blurb

How about AVG antispyware,PrevX 2...nope and maybe we should widen the field to include the major antitrojans.How about Boclean or whatever it is repackaged as....blind as the rest and the latest evo of a2 goes for a duck as well.

The bottom line is that SAS is using a trick that the rest need to learn before it yields the most powerful antispyware label in my books

It can see stuff that other softwares are incapable of detcting even when they know the malicious code

 

there are also only two antivirus companies that can detect rustock when its loaded.
kaspersky and symantec.
lets just hope Nick keeps the technlogy of superantispyware behind lock and key so no one can steal it
lodore

 

NOD also detects it Lodore. http://www.eset.com/joomla/index.php?searchword= rustock &option=com_search&Itemid=5

 

Hi the hammer,
nod32 isnt able to detect the trojan when its fully active.
lodore

 

FWIW Not technically true when the trojan is already native on a computer.There is a difference between identifying an inactive file and detecting it when it is active on a computer.

See virtually all definition based softwares know the Rustock trojan code when the file is sat inactive on a machine so to speak but the trick is to detect it when it is loaded into ADS and filtering its activities at kernel level on an infected machine.

NOD32 is incapable of this feat despite its claims to have an advanced antirootkit capability


Lodore,you are correct Symantec latest offerings are including raw disk reading and Kaspersky has recently incorperated this state of the art technology

 

does superantispyware have similar technology?
so ive got two of the best antimalware tools on my PC.
superantispyware and kis7.0
lodore

 

2 of the best for sure at the moment but one should always be mindful for the history of technology advances is reactionary to malware evolution.

In the sense that change is certainty and as malwares evolve then so should the *cures* and prevention to stay on top of them

History shows that 4 years ago Adaware was the great saviour from spyware but as most experts will acknowledge today the software has not kept pace with advances/evolutions of malwares and as such is now no more than a glorified cookie cruncher with very little effectiveness against the new stuff

With reguards SAS technology,i am not in a position to reveal/discuss its makeup and operation but it would'nt be me not to say that the *Rustock killers* are the currently most capable(advanced) softwares in town

 

Without a doubt, and that is what is making history in the AS world ATM, because i don't know of any other conventional AS's that can duplicate that feat. It's no short order for any AS to be able to not only disable even rootkits but to pull their teeth out completely.

Just to bring you up to speed a little fcukdat, theres an active ongoing quest to find the holy grail which is in full swing going on for the end all in total prevention security against ANY malicious intrusions. That's why the plenty of mention also of rollback proggies, virtualization, and such as opposed to scanners.

SAS is presently the ONLY scanner i trust whether On-Demand or Resident. There are none others for me, only HIPS/Rollback/Virtualization.

 

Please send the undetected variant to samples[at]eset.com with this thread's url in the subject. If it's actually not detected, we'll add detection. The good news is that advanced heuristics will be improved to recognize such nasties much better.

 

NOD32 does not flag any hidden file as susupicious as this would produce too many false positives and cause confusion to users. However, some improvements re. rootkits are planned to be incorporated in future versions of ESS (Eset Smart Security).

 

He is saying that NOD32, which detects the Rustock (lzx32.sys) sample at VirusTotal, doesn't detect/remove the same sample if it's loaded/installed. Actually, few malware scanners and antirootkits tools are able to detect/remove a Rustock infection.

 

FWIW SAS dose not detect rootkit trojans as suspicious either,it identifies them by name if they are a known entity to the SAS database

As noted by Lucas1985 there is a difference between static file identification and *live* file detection when it comes down to rootkit trojans.In a nutshell kernel mode trojans rewrite the rule book by subverting/filtering data at kernel level to render traditional AV/ASW/AT scanning methods blind to their presents.
The detecting engine can go looking for the file/string/MD5 etc but if the trojan is filtering the results returned from the kernel then at this point the detection has been bypassed and software is *blind* to that particular trojan

Maybe ESS will step upto the plate with new technology,only time will tell

 

First of all ...

Rustock actually is quite easy to detect. Saying any application detects rookits cause it detects Rustock is a little bit ... well ... over the top. Saying that an application detects rootkit better than other applications would be more correct .

Regarding one of the applications you've tested: How have you tested PrevX? Cause actually in cases I tried to run a random Rustock installer I get the correct warnings and the installation of the rootkit gets blocked.
Have you stopped PrevX, installed the rootkit and started it again? If so: Thats not the way PrevX is intended to work and I am sure you know that .

 

Hi AH

If *loaded* Rustock B is so easy to detect then why are there so few antimalware softwares capable of detection and removal....

Rustock was cited as a benchmark trojan(nearing its one year birthday party and widely known about in security circles) but i suppose we could widen the field to include Wincom32, Haxdor(ntio/poof),all-in-one to include some more kernel mode malwares that are in the wild for sometime now.

FWIW Rustock can be easily prevented from going native by blocking the dropper(ala PrevX) or any software that offers HIBS/Process firewalling etc
Also include any blacklist realtime defender that knows the code but my info was aimed at the detection and removal of an already native Rustock infection.

The reason why i failed PrevX was on the basis that software is introduced into the equation after the infection has taken place.Install,update and run customary setup initial scan=clean bill of health.

Not quite the case if Rustock is present mind you the software firewall installed is not reporting the large amount of outbound traffic from the infected machine either as that too has been subverted and finally can we say backdoored from a security standpoint

PrevX can offer the check point to block it before possible infection(no doubt as with many other softwares) but is blind to it when it is already loaded on a machine