Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Anti-Spyware Tests, Guide, Round 1


  • Please log in to reply
5 replies to this topic

#1 TeMerc

TeMerc

    Countermeasures Team Leader


  • Malware Response Team
  • 215 posts
  • OFFLINE
  •  
  • Location:PHX., AZ.
  • Local time:10:07 PM

Posted 03 October 2004 - 04:59 PM

Hi All:

This weekend I completed the first of several rounds of tests with anti-spyware scanners. In this first round I tested 10 of the better known anti-spyware scanners. Before jumping to the results, please look over the "Test Guide" page here:

http://spywarewarrior.com/asw-test-guide.htm

In particular, please pay attention to the several important disclaimers on that page. You can find a link to the test results for Round 1 on that "guide" page.

I hope to have the second round of tests with 10 other anti-spyware scanners done in the next few days. Round 2 results will be reported on a new page, and a link provided when that page is available.

Questions, comments, and corrections are, of course, always welcome.

Best regards,

Eric L. Howes


Great service he does for us all isn't it? :thumbsup:
Posted Image
Calendar of Updates
Malware Advisor Blog
HijackThis! Trusted Advisor
Ultimate Countermeasures Page
TeMerc Internet Countermeasures
Remember, you can NEVER be OVERPROTECTED!!!
Proud Member of the Alliance of Security Analysis Professionals
Posted Image

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,503 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:07 AM

Posted 03 October 2004 - 05:10 PM

Excellent info...as always Eric's work is invaluable.

#3 TeMerc

TeMerc

    Countermeasures Team Leader

  • Topic Starter

  • Malware Response Team
  • 215 posts
  • OFFLINE
  •  
  • Location:PHX., AZ.
  • Local time:10:07 PM

Posted 04 October 2004 - 12:38 PM

Round 2 of test posted:

Hi All:

I just posted the second round of test results, which includes a number of tests with lesser known anti-spyware applications.

http://spywarewarrior.com/asw-test-results-2.htm

If you haven't already done so, please do review the Test Guide and the disclaimers on that page:

http://spywarewarrior.com/asw-test-guide.htm

Best,

Eric L. Howes


Posted Image
Calendar of Updates
Malware Advisor Blog
HijackThis! Trusted Advisor
Ultimate Countermeasures Page
TeMerc Internet Countermeasures
Remember, you can NEVER be OVERPROTECTED!!!
Proud Member of the Alliance of Security Analysis Professionals
Posted Image

#4 noonytunes

noonytunes

  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Alcalde, New Mexico
  • Local time:11:07 PM

Posted 04 October 2004 - 02:19 PM

:thumbsup: Do you have any experience with SpySubtract? It was recommended on the Hewlett-Packard site, and I have a Hewlett-Packard. I ran into problems with Spyware Search and Destroy...I lost most everything and had to use Application Recovery. I've been laboring for a week trying to get the right downloads before I do SP2. Anyway, SpySubtract caught things that Spyware Search and Destroy didn't. I deleted SSD. The problem was that my computer wouldn't reboot...and it seemed to have something to do with that rundll. I'm not knowledgeable about the technical end of things...so, I hope this makes sense to you.
:flowers:
noonytunes

#5 cowsgonemadd3

cowsgonemadd3

    Feed me some spyware!


  • Banned
  • 4,557 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 04 October 2004 - 02:22 PM

I do its a great program! I use it and it works great! I would recomend and do on my site!

#6 TeMerc

TeMerc

    Countermeasures Team Leader

  • Topic Starter

  • Malware Response Team
  • 215 posts
  • OFFLINE
  •  
  • Location:PHX., AZ.
  • Local time:10:07 PM

Posted 09 October 2004 - 05:32 PM

NEW ROUND OF TESTING:

Hi All:

Over the past 2 days I've performed yet another round of tests with 20 anti-spyware scanners, this time using a new collection of spyware and adware picked up from my favorite "test" site, "Innovators of Wrestling" (iowrestling.com). As before, I identified a core set of "critical" detections and monitored how throughly each anti-spyware scanner removed the "critical" detections. You can find a list of those detections on the Guide page here:

http://spywarewarrior.com/asw-test-guide.htm#detections2

The results of this new round of tests can be found on these two pages:

http://spywarewarrior.com/asw-test-results-3.htm
http://spywarewarrior.com/asw-test-results-4.htm

As I requested before, please have a look at the Guide page before proceeding to the results pages. The Guide page has been revised to account for these new tests. As always, the "Disclaimers" section on the Guide page is "must read":

http://spywarewarrior.com/asw-test-guide.htm#disclaimers

One aspect of these latest tests worth noting: the collection of spyware and adware used for this round of tests included some especially nasty software that proved difficult, if not next to impossible to remove for the anti-spyware scanners. In particular, the key processes for the following adware/spyware was not killable at all:

IBIS Toolbar/Websearch
IBIS Toolbar/WinTools

The executables were simply too well protected in memory. Even the DiamondCS process tools APM and APT could not remove those processes and modules from memory.

The standard procedure that anti-spyware scanners use in this situation is to remove the files on reboot by configuring the scanners to run through the HKLM\...\RunOnce key. Not a single anti-spyware scanner succeeded in doing that, however, because one of the above processes -- or perhaps it was the VX2 3dsdpi.dll module that was attached to the Winlogon process, a core Windows system process -- blocked changes to the RunOnce key. Still worse, the files mentioned above could not even be removed in Safe Mode.

This all is a potentially huge problem. The only way I succeeded in removing those files was to boot to a command line using SysInternals' ERD Commander 2000. A bootable CD could be used to achieve the same result.

Finally, before anyone asks, let me indicate right now that I am not going to put together a table summarizing the combined results of both rounds of tests. Were I to do so, that table would immediately be taken as a definitive ranking of the products tested, and that kind of ranking is simply not warranted solely on the basis of these two rounds of tests. Moreover, I know that once that table appeared, people would link only to the table, and the rest of the critical information and context regarding these tests would get lost in the rush to judgment.

In any case, questions, comments, and suggestions are always welcome.

Best,

Eric L. Howes


Posted Image
Calendar of Updates
Malware Advisor Blog
HijackThis! Trusted Advisor
Ultimate Countermeasures Page
TeMerc Internet Countermeasures
Remember, you can NEVER be OVERPROTECTED!!!
Proud Member of the Alliance of Security Analysis Professionals
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users